dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
13746
share rss forum feed


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to pclover

Re: Comcast decides to block port 25 IN and OUT with no notice.

said by pclover:

Comcast in my area decided to block port 25 IN and OUT so my SMTP would stop working without notice.

Without notice? From other sources it appears that Comcast gave as much notice as SBC did when they implemented their port 25 embargo in 2002; I still have that e-mail announcement.

My current ISP blocks port 25 in both directions on DHCP accounts. They offer static IP accounts with no port 25 block. As others have suggested, a Comcast business account will give you port 25 access.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to pclover
said by pclover:

said by JohnInSJ:

said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

And if you are running a server, you're using comcast business class with a static IP, and your port 25 is not blocked.

Why is it assumed that I am running a server? I need to to test to make sure an email server is working correctly!

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?
--
My place : »www.schettino.us


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by JohnInSJ:

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
 
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
 
Connection to host lost.
 
Does that qualify as a failure?

FWIW, the source IP address is not in a DUL. The generic form of the rDNS is: 173-228-7-21x.dsl.static.sonic.net, which Sonic.net will not submit to any DUL for obvious reasons. But my specific IP address will respond with, 'mxa.mydomain.tld'.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast
said by NormanS:

said by JohnInSJ:

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
 
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
 
Connection to host lost.
 
Does that qualify as a failure?

FWIW, the source IP address is not in a DUL. The generic form of the rDNS is: 173-228-7-21x.dsl.static.sonic.net, which Sonic.net will not submit to any DUL for obvious reasons. But my specific IP address will respond with, 'mxa.mydomain.tld'.

This points out that mail.comcast.net is responding to port 25.

This is what I need!

I need to verify on new servers that Port 25 can be accessed outside of the local network.

Does me no good to use an alternate port as email servers communicate with other emails servers over port 25 and if that's not working SMTP will fail and the mail queue will start building.

I was quoted around 94$ a month for business phone and internet. Free install with 2 year agreement.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to NormanS
said by NormanS:

Does that qualify as a failure?

Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.

And you not being able to reach an email server is (clearly) no indication of the health of the server. Why do you feel the need to do this from a residential account?
--
My place : »www.schettino.us


pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast
said by JohnInSJ:

said by NormanS:

Does that qualify as a failure?

Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.

And you not being able to reach an email server is (clearly) no indication of the health of the server. Why do you feel the need to do this from a residential account?

To test for firewall rules etc.

Yes, Some servers WILL do that however you do have to abuse it.

Also this thread is getting pointless. No more replies are needed.


jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
reply to pclover
Hmmmm...wonder if I missed the email? I have not noticed it here(the email notice) but just the same I quit using port 25 years ago. I even have port 25 blocked at my router to help prevent it's usage from unexpected spam bots.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 edit

1 recommendation

reply to pclover
said by pclover:

said by NormanS:

said by JohnInSJ:

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
 
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
 
Connection to host lost.
 

This points out that mail.comcast.net is responding to port 25.

No, sir; actually it does not. I was testing against an MX server to refute an argument about the response of an MX server. Nor is my result a failure. It is the wholly expected response of an SMTP server to the, "QUIT" command.

If I were to try the same to the Comcast message submission server, based on the Comcast pubs I would expect failure on port 25 (source IP address is not a Comcast IP address block) but success (to the "QUIT" command) on port 465.
C:\util\dig>telnet mail.comcast.net 25
Connecting To mail.comcast.net...Could not open connection to the host,
on port 25: Connect failed
 

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to JohnInSJ
said by JohnInSJ:

said by NormanS:

Does that qualify as a failure?

Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.

And you claim to run a server! Or is the SMTP "QUIT" command not a proper response to the handshake?

And you not being able to reach an email server is (clearly) no indication of the health of the server.

How is my posted result a failure to reach the server? The server properly responded with its banner, and properly accepted the RFC-compliant SMTP "QUIT" command. If, instead of quit, I had responded with, "EHLO mxa.mydomain.tld", I would have received additional SMTP prompts. As long as I continued to respond to prompts with proper, and appropriate commands, I could have sent an email to any Comcast user whose '@comcast.net' email address I know.

Why do you feel the need to do this from a residential account?

Why do you even care? As long as I am operating within the terms of my ISP.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.
--
My place : »www.schettino.us


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by JohnInSJ:

didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.

Whose rule? And how do you actually determine "residential"? I test for "DUL" on my server; "Dynamic User List".

Do you see the difference?

173-228-99-1x.dsl.dynamic.sonic.net
173-228-7-21x.dsl.static.sonic.net

The first is not allowed to run servers; indeed, port 25 will be blocked both directions.

The second is allowed to run servers, with port 25 access not blocked.

Upon receiving my static IP address assignment, I used the control to set my rDNS to 'mxa.mydomain.tld'.

So how should this work on my end?

Your MX: "Banner"
My MX: "EHLO mxa.mydomain.tld"
Your MX: "Pleased to meet you, mxa.mydomain.tld"
My MX: "MAIL FROM norman@mydomain.tld"
Your MX: "norman@mydomain.tld OK, SEND RCPTS"
My MX: "RCPT TO: you@yourdomain.tld"

And so on; why should you have a problem with that?
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to NormanS
said by NormanS:

No, sir; actually it does not. I was testing against an MX server to refute an argument about the response of an MX server. Nor is my result a failure. It is the wholly expected response of an SMTP server to the, "QUIT" command.

If I were to try the same to the Comcast message submission server, based on the Comcast pubs I would expect failure on port 25 (source IP address is not a Comcast IP address block) but success (to the "QUIT" command) on port 465.

C:\util\dig>telnet mail.comcast.net 25
Connecting To mail.comcast.net...Could not open connection to the host,
on port 25: Connect failed
 

Actually using port 25 or port 587 to mail.comcast.net is doomed even from a Comcast IP address:


webhost:/ # telnet mail.comcast.net 25
Trying 2001:558:fe2d:70::33...
telnet: connect to address 2001:558:fe2d:70::33: Permission denied
Trying 2001:558:fe14:70::33...
telnet: connect to address 2001:558:fe14:70::33: Permission denied
Trying 76.96.40.158...
^C
webhost:/ # telnet mail.comcast.net 587
Trying 2001:558:fe2d:70::33...
telnet: connect to address 2001:558:fe2d:70::33: Permission denied
Trying 2001:558:fe14:70::33...
telnet: connect to address 2001:558:fe14:70::33: Permission denied
Trying 76.96.40.158...
^C
 



If you want to access the Comcast residential mail submission server, you have to use smtp.comcast.net (and that doesn't work on port 25 any more even if you are doing it from a Comcast IP address on a Comcast Business Class account):


webhost:/ # telnet smtp.comcast.net 25
Trying 2001:558:fe14:70::30...
Connected to smtp.comcast.net.
Escape character is '^]'.
554 omta20.westchester.pa.mail.comcast.net comcast Port 25 not allowed - http://customer.comcast.com/help-and-support/in
ternet/email-client-programs-with-xfinity-email/
Connection closed by foreign host.
 
webhost:/ # telnet smtp.comcast.net 587
Trying 2001:558:fe14:70::30...
Connected to smtp.comcast.net.
Escape character is '^]'.
220 omta10.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 omta10.westchester.pa.mail.comcast.net comcast closing connection
Connection closed by foreign host.
 


OTOH, the Comcast Business Class mail submission server is still accessible using port 25:


webhost:/ # telnet smtp.po1.comcast.net 25
Trying 76.96.107.76...
Connected to smtp.po1.comcast.net.
Escape character is '^]'.
220 businessclass.comcast.net ESMTP mail service ready
quit
221 businessclass.comcast.net closing connection
Connection closed by foreign host.
 



--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to NormanS
said by NormanS:

said by JohnInSJ:

didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.

Whose rule? And how do you actually determine "residential"? I test for "DUL" on my server; "Dynamic User List".

Comcast's rule, per the post title, is that they will block port 25 on residential accounts.

Am I in the wrong thread?

I frankly don't care at all, I am on business class with static IPs because the features and access I require are available with that service.
--
My place : »www.schettino.us


jap
Premium
join:2003-08-10
038xx
reply to pclover
said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

It's the historically agreed upon default, yes, with 26 & 587 being widely observed alternates. I've been running my outbound mail through pobox.com's SMPT service since the late 1990s on 587.

Seems a lame faux-security move for Comcast to block a few single ports just because their the supposed registered port for some given function.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Reviews:
·Comcast
said by jap:

Seems a lame faux-security move for Comcast to block 25.

It's not about security. It's about preventing direct MX which has been historically abused by spam bots running on compromised machines.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to JohnInSJ
said by JohnInSJ:

Comcast's rule, per the post title, is that they will block port 25 on residential accounts.

Am I in the wrong thread?

No, but I was sucked away from the OPs concerns by my own obstinacy.

OP wants to test an off-Comcast network SMTP server, and definitely should get a business-class account for that purpose.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to jap
said by jap:

Seems a lame faux-security move for Comcast to block a few single ports just because their the supposed registered port for some given function.

It isn't lame; it is quite effective. From my own SMTP logs, back in 2002 (when SBC implemented port 25 blocking), I saw SBC drop from being the single, largest U.S. source of spam attempts to my accounts to near dead last.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to jap
said by jap:

said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

It's the historically agreed upon default, yes, with 26 & 587 being long established alternates. I've been running my outbound mail through pobox.com's SMPT service since the late 1990s on 587.

Seems a lame faux-security move for Comcast to block 25.

You are confusing SMTP with Mail Submission; there is a big difference. SMTP always uses port 25, and no authentication is required. A properly configured mail submission server (which can use port 26, 587, 1025, or whatever port the server is setup for) on the other hand "should" require authentication. It is is the unauthenticated SMTP traffic that is the target for Comcast's port 25 block; a few improperly configured mail submission servers (that only allow the use of port 25) are simply collateral damage.

It is no more a "lame faux-security move" than the act of locking your doors, windows, and fence gates.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

JJV
Premium
join:2001-04-25
Seattle, WA
reply to pclover
I received this warning Jan 8.
My security cameras were using port 25 to send motion detected pictures.

Dear Valued XFINITY® Internet Customer,

We care about your email security when using our network. On August 1, Comcast announced that for security reasons we will no longer support the use of port 25 for sending email from programs like Outlook or Apple Mail. It appears that your computer is using port 25 to send email. A port is a connection through which information flows from a program on your computer, from another computer in a network, or to your computer from the Internet, Port 25 is an unsecured port, and it is increasingly used to send spam emails through malicious computer programs called malware. These spam emails are usually sent by computers that have been infected by viruses, and as a result, most users are unaware that their computers are sending spam. By no longer supporting port 25 to send e-mail, this will help prevent your computer from sending spam without your knowledge.


jap
Premium
join:2003-08-10
038xx

1 edit
reply to NetFixer
said by NetFixer:

You are confusing SMTP with Mail Submission...

Thank you for the explanation. It makes sense: submit to SMTP server on port xxx (commonly 25, 26, or 587) but SMTP serves into formal mail system always on 25.

Now if in 1990 we had made it globally legal to publicly execute spammers and the CEOs of the corps they worked for we would have saved billion$, countless hours of hell, and all just email each other directly. Ah well.


dwhayden

join:2000-12-23
Greenwood, IN
reply to pclover
It appears around 5:30PM yesterday my inbound SMTP was blocked. Coincidently this appears to be around the time I rebooted my Cable modem. Inbound SMTP is still open through IPv6.


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 recommendation

said by dwhayden:

It appears around 5:30PM yesterday my inbound SMTP was blocked. Coincidently this appears to be around the time I rebooted my Cable modem. Inbound SMTP is still open through IPv6.

Yep, you will find security holes like that everywhere now that IPv6 is starting to be implemented by people who haven't taken into account that IPv6 requires its own separate firewall rules. At this point in time, IPv6 is possibly the hacker's best friend (although of course Adobe, Microsoft, and Oracle are still on their holiday card list).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


a nun

@b2b2c.ca
reply to pclover
They took 10 years to block that port? Since almost all users *never* use that port, it only makes sense to block that port. Yes, I've worked abuse for a very large ISP


mrpeach

@comcast.net
reply to dwhayden
Oddly enough, that's exactly what happened to me - the lure of faster speeds in an email prompted me to reboot my modem, then the sudden discovery I'd been screwed.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by mrpeach :

Oddly enough, that's exactly what happened to me - the lure of faster speeds in an email prompted me to reboot my modem, then the sudden discovery I'd been screwed.

I have not used port 25 for message submission in the last ten years. It is nice to have for running a mail server; but Comcast does permit that on residential accounts.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

TheBigCheese

join:2002-08-05
Philadelphia, PA
reply to pclover
Don't know about "no notice" as I received several snail mails about this. I do have a reason to want 25 open as my Netgear router sends logs over port 25 and there is no way to change the port number! I guess the only solution is to use a VPN but I don't see that the cost is justified (I'm cheap).


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by TheBigCheese:

Don't know about "no notice" as I received several snail mails about this. I do have a reason to want 25 open as my Netgear router sends logs over port 25 and there is no way to change the port number! I guess the only solution is to use a VPN but I don't see that the cost is justified (I'm cheap).

If you have Windows [XP|Vista|7] Professional, then you have IIS, which includes a mail server. So set up IIS, and point your Netgear to 127.0.0.1:25. IIS SMTP will relay (so be certain to secure it against unauthorized access), and it can be configured to use any TCP port to send. So configure the server to use port 465 of whichever e-mail service you use.

And if you don't have the Professional version of Windows, there are free SMTP server applications which will run as a service, and do the same thing.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Reviews:
·Comcast
Using 127.0.0.1 (or any other loopback address) merely points to the Netgear itself.

And you can not reach a loopback address on another device because these addresses are non-routable.

Stunnel is probably the lightest application that would work just fine.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by graysonf:

Using 127.0.0.1 (or any other loopback address) merely points to the Netgear itself.

And you can not reach a loopback address on another device because these addresses are non-routable.

Of course; my bad. Assuming IIS is running on a computer at 192.168.1.2, then pointing the Netgear at 192.168.1.2:25 should work.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


dwhayden

join:2000-12-23
Greenwood, IN
reply to NormanS
said by NormanS:

I have not used port 25 for message submission in the last ten years. It is nice to have for running a mail server; but Comcast does permit that on residential accounts.

Same here. I haven't used port 25 for direct outbound SMTP in over 10 years as most mail providers rejected it from Residential IP blocks even 10 years ago. As a precaution I've always blocked 25 outbound from my firewall with logging to catch potential SPAM bots.

I've been expecting Comcast for years to completely block 25, so I was prepared to implement the workaround pretty quick. Nothing lost, but just wish I noticed it earlier in they day.