dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12919
share rss forum feed


dwhayden

join:2000-12-23
Greenwood, IN
reply to pclover

Re: Comcast decides to block port 25 IN and OUT with no notice.

It appears around 5:30PM yesterday my inbound SMTP was blocked. Coincidently this appears to be around the time I rebooted my Cable modem. Inbound SMTP is still open through IPv6.



NetFixer
From my cold dead hands
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
·Comcast

1 recommendation

said by dwhayden:

It appears around 5:30PM yesterday my inbound SMTP was blocked. Coincidently this appears to be around the time I rebooted my Cable modem. Inbound SMTP is still open through IPv6.

Yep, you will find security holes like that everywhere now that IPv6 is starting to be implemented by people who haven't taken into account that IPv6 requires its own separate firewall rules. At this point in time, IPv6 is possibly the hacker's best friend (although of course Adobe, Microsoft, and Oracle are still on their holiday card list).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


a nun

@b2b2c.ca
reply to pclover

They took 10 years to block that port? Since almost all users *never* use that port, it only makes sense to block that port. Yes, I've worked abuse for a very large ISP



mrpeach

@comcast.net
reply to dwhayden

Oddly enough, that's exactly what happened to me - the lure of faster speeds in an email prompted me to reboot my modem, then the sudden discovery I'd been screwed.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

said by mrpeach :

Oddly enough, that's exactly what happened to me - the lure of faster speeds in an email prompted me to reboot my modem, then the sudden discovery I'd been screwed.

I have not used port 25 for message submission in the last ten years. It is nice to have for running a mail server; but Comcast does permit that on residential accounts.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

TheBigCheese

join:2002-08-05
Voorhees, NJ
reply to pclover

Don't know about "no notice" as I received several snail mails about this. I do have a reason to want 25 open as my Netgear router sends logs over port 25 and there is no way to change the port number! I guess the only solution is to use a VPN but I don't see that the cost is justified (I'm cheap).



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

said by TheBigCheese:

Don't know about "no notice" as I received several snail mails about this. I do have a reason to want 25 open as my Netgear router sends logs over port 25 and there is no way to change the port number! I guess the only solution is to use a VPN but I don't see that the cost is justified (I'm cheap).

If you have Windows [XP|Vista|7] Professional, then you have IIS, which includes a mail server. So set up IIS, and point your Netgear to 127.0.0.1:25. IIS SMTP will relay (so be certain to secure it against unauthorized access), and it can be configured to use any TCP port to send. So configure the server to use port 465 of whichever e-mail service you use.

And if you don't have the Professional version of Windows, there are free SMTP server applications which will run as a service, and do the same thing.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:1

Using 127.0.0.1 (or any other loopback address) merely points to the Netgear itself.

And you can not reach a loopback address on another device because these addresses are non-routable.

Stunnel is probably the lightest application that would work just fine.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

said by graysonf:

Using 127.0.0.1 (or any other loopback address) merely points to the Netgear itself.

And you can not reach a loopback address on another device because these addresses are non-routable.

Of course; my bad. Assuming IIS is running on a computer at 192.168.1.2, then pointing the Netgear at 192.168.1.2:25 should work.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


dwhayden

join:2000-12-23
Greenwood, IN
reply to NormanS

said by NormanS:

I have not used port 25 for message submission in the last ten years. It is nice to have for running a mail server; but Comcast does permit that on residential accounts.

Same here. I haven't used port 25 for direct outbound SMTP in over 10 years as most mail providers rejected it from Residential IP blocks even 10 years ago. As a precaution I've always blocked 25 outbound from my firewall with logging to catch potential SPAM bots.

I've been expecting Comcast for years to completely block 25, so I was prepared to implement the workaround pretty quick. Nothing lost, but just wish I noticed it earlier in they day.


NetFixer
From my cold dead hands
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
·Comcast
reply to NormanS

said by NormanS:

said by graysonf:

Using 127.0.0.1 (or any other loopback address) merely points to the Netgear itself.

And you can not reach a loopback address on another device because these addresses are non-routable.

Of course; my bad. Assuming IIS is running on a computer at 192.168.1.2, then pointing the Netgear at 192.168.1.2:25 should work.

I don't know about the specific Netgear router being discussed, but I have on numerous occasions run into consumer/residential grade routers that would only do SMTP for emailing logs and/or NTP for time sync over the WAN interface. In that case the router would also be unable to send its log to a local mail server on 192.168.1.2.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


CSampson

@comcast.net
reply to NormanS

Yes, it is fair to say "without notice"
In case you missed the great book "hitchhiker's guide to the galaxy" posting notice where nobody can see it or would look...isn't notice at all. I don't read Comcast emails, I read my own emails that I use with my company. However, Comcast has been interfering with our ports for years now and yes, they cut them off entirely without proper notice.

The answer is simple: DOJ Anti-Trust division and FCC need to hear how this affects you, not just that it happens.

For year, net neutrality was discussed in the context of programming, but net vets like me were and should have been pointing out the Port Controls.

If Comcast wants to keep me from "spamming" via Comcast, that's their business. But to keep me from legit mailing via my own server out of their control issues...its wrong.


AVonGauss
Premium
join:2007-11-01
Boynton Beach, FL

said by CSampson :

The answer is simple: DOJ Anti-Trust division and FCC need to hear how this affects you, not just that it happens.

For year, net neutrality was discussed in the context of programming, but net vets like me were and should have been pointing out the Port Controls.

To imply or claim that this is a DOJ, FCC or even a Net neutrality matter is absolutely absurd, and that's the polite version. Should the NetBIOS series of ports be unblocked just in case someone wants to be able to allow for easier file sharing even though it has a proven track record of abuse, like SMTP?

If you've chosen not to read information provided by your provider and have been caught off guard, who's fault is that really? Comcast should have done this 10 years ago, imho.


CSampson

@comcast.net
reply to a nun

"Since almost all users *never* use that port, it only makes sense to block that port. Yes, I've worked abuse for a very large ISP"

So what? If we use our own ports on our own servers and don't spam, the ISP should stay out of the way, not play firewall nanny.



56885201
Ain't Nothin' But A Hound Dawg
Premium
join:2005-05-01
Dawg House
reply to CSampson

said by CSampson :

Yes, it is fair to say "without notice"
In case you missed the great book "hitchhiker's guide to the galaxy" posting notice where nobody can see it or would look...isn't notice at all. I don't read Comcast emails, I read my own emails that I use with my company. However, Comcast has been interfering with our ports for years now and yes, they cut them off entirely without proper notice.

The answer is simple: DOJ Anti-Trust division and FCC need to hear how this affects you, not just that it happens.

For year, net neutrality was discussed in the context of programming, but net vets like me were and should have been pointing out the Port Controls.

If Comcast wants to keep me from "spamming" via Comcast, that's their business. But to keep me from legit mailing via my own server out of their control issues...its wrong.

I think it is fair to say that because you deliberately do not read the emails that your ISP sends to you to notify you of changes to your account/service, you deserve to get whatever "surprises" may come your way.

I have seen this lame "I don't read email from my ISP" excuse more times than I can count. Besides the email that was sent to every customer, Comcast put this information on-line in their help/support pages. Exactly how do you think your ISP is supposed to notify you of account and service changes?

If your own email server is hosted somewhere, you should configure it to allow authenticated mail submission using something other than port 25. If you are running an email server on a Comcast residential account, you should configure it to use Comcast's SMTP server as a smarthost (and of course use port 587 (or port 465 with SSL) for outbound email. For inbound email, you will have to point your MX records to an offsite store and forward service. FWIW, I use the Comcast Business Class SMTP server as a smarthost, and I set my MX records to point to Comcast's hosted Exchange server, and my in-house email server simply polls and downloads the email to the local inboxes. I used to do the same thing with AT&T when they were my ISP, and with Covad before that.

What Comcast is doing for port 25 for residential accounts is what most responsible ISPs have been doing for years. Good luck with your complaint to the FCC and DOJ.
--
Some days you're the dog; some days you're the hydrant.
Expand your moderator at work


Bach
Premium
join:2002-02-16
Flint, MI
reply to TheBigCheese

Re: Comcast decides to block port 25 IN and OUT with no notice.

said by TheBigCheese:

Don't know about "no notice" as I received several snail mails about this. I do have a reason to want 25 open as my Netgear router sends logs over port 25 and there is no way to change the port number! I guess the only solution is to use a VPN but I don't see that the cost is justified (I'm cheap).

I likewise had my Netgear WNR3500L router configured to email its logs so I could review/archive them. The port cannot be configured. Comcast never notified of any port 25 activity. The emails from the router stopped at the end of February and the router's log now says it cannot connect to the email server. No big deal I guess, I'll just collect the log data manually.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
reply to CSampson

said by CSampson :

Yes, it is fair to say "without notice"
In case you missed the great book "hitchhiker's guide to the galaxy" posting notice where nobody can see it or would look...isn't notice at all. I don't read Comcast emails ...

Why not? Isn't that the logical place to send notices to customers?

I read my own emails that I use with my company. However, Comcast has been interfering with our ports for years now and yes, they cut them off entirely without proper notice.

So what would you consider proper notice?

For year, net neutrality was discussed in the context of programming, but net vets like me were and should have been pointing out the Port Controls.

If Comcast wants to keep me from "spamming" via Comcast, that's their business. But to keep me from legit mailing via my own server out of their control issues...its wrong.

Read the RFCs. Port 25 is for Mail Transfer. MX-to-MX. Unless you are running an MX server on your residential connection (which I believe is a violation of the Comcast ToS), you don't need port 25.

The latest Message Submission RFC is RFC 6409:

»tools.ietf.org/html/rfc6409

Previous RFCs, RFC 2476 and RFC 4409 were not as adamant about the separation of Message Submission from Message Transfer.

Now I will await an explanation of how compliance with published RFCs violates "Net Neutrality".
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


CSampson

@comcast.net

1 edit
reply to 56885201

"I think it is fair to say that because you deliberately do not read the emails that your ISP sends to you to notify you of changes to your account/service, you deserve to get whatever "surprises" may come your way."

Deliberately,
NO...I will correct your pathetic take real quick:
COMCAST TOOK OVER OUR MARKET
I DID NOT SIGN UP FOR COMCAST. I NEVER ASKED FOR AN EMAIL. I HAVE USED THE SAME EMAIL FOR 15 YEARS.

Comcast has that email and sends me my bills every month.
They never sent this notice to my email...They sent it to an internal email they gave me. "deliberate" means to think about...I do not "deliberate" about reading an email someone gives me that I do not need.

They have my email, they send notifications about service, appointments and bills. They sent no notification of a permanent Port 25 Block. They have instituted their system for the past few years and starting Mar 2, they cut it off entirely without NOTICE.

I run an internet company. I don't arbitrarily give my clients emails they don't know about, don't ask for, then demand they check them for my needs. I use their emails for notification, as do 100% of the companies I use, including Comcast.

Comcast has my regular email and they did not send notice.



56885201
Ain't Nothin' But A Hound Dawg
Premium
join:2005-05-01
Dawg House

I won't bother to respond to your additional rant about not wanting to read your Comcast email (because you obviously did not do it, and are not going to do it, and will not even consider that if you had done it, you would not have been taken by surprise).

However, I will take one very short sentence from your most recent rant as another example of how your current situation could have been avoided entirely.

said by CSampson :

I run an internet company.

If you are using a Comcast residential account for running a business related email server, you could have easily avoided this problem by simply getting a Comcast Business Class account instead of using a residential account.

Sometimes the simple solutions that are right under your nose are the hardest to see (especially when you don't want to see a particular solution).
--
Some days you're the dog; some days you're the hydrant.


owlyn
Premium,MVM
join:2004-06-05
Newtown, PA
reply to CSampson

I got the Comcast email, read it, and took the 20 seconds to change the ports for the accounts in my email client. What do you want them to do, call you on the phone? Come to your house? They have to contact you somehow.



tomp

@comcast.net
reply to 56885201

Wow, I smell arrogance. I was not notified about the port change. I spent a significant amount of time wondering why what worked yesterday does not work today. Comcast wasted my time and has done so in many other situations. They have a monopoly in my area, we have lost choice in communications providers. Anti monopoly laws were put in place to maintain healthy competition that benefited consumers and promoted innovation. Those days are almost gone if we continue to tolerate this kind of behavior.



56885201
Ain't Nothin' But A Hound Dawg
Premium
join:2005-05-01
Dawg House

said by tomp :

Wow, I smell arrogance. I was not notified about the port change. I spent a significant amount of time wondering why what worked yesterday does not work today. Comcast wasted my time and has done so in many other situations. They have a monopoly in my area, we have lost choice in communications providers. Anti monopoly laws were put in place to maintain healthy competition that benefited consumers and promoted innovation. Those days are almost gone if we continue to tolerate this kind of behavior.

Hmm, shall I tell you what I smell?

Comcast sent a notification email to subscribers; there have been other posters in this thread who have verified that (even if you don't believe me). I have no way of knowing if your email was eaten by a spam blocker or simply ignored, but nonetheless, the notification email was sent.

Even if there had been no email notification, port 25 for residential users is listed as being blocked on the Comcast support site (and it has been listed there for many months). The link to that document has already been posted in this thread and in this related thread: »[Rant] Crazy port blocking . Exactly how much notification do you think that Comcast should have given to you personally?

As for competetion, blocking port 25 for residential users is a very common practice; so even if you had a choice, most likely your alternative ISP would also block port 25.
--
Some days you're the dog; some days you're the hydrant.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
reply to tomp

said by tomp :

Wow, I smell arrogance. I was not notified about the port change. I spent a significant amount of time wondering why what worked yesterday does not work today. Comcast wasted my time and has done so in many other situations.

It took me all of 3 seconds to find:
»www.google.com/search?client=ope···=suggest

They have a monopoly in my area, we have lost choice in communications providers. Anti monopoly laws were put in place to maintain healthy competition that benefited consumers and promoted innovation. Those days are almost gone if we continue to tolerate this kind of behavior.

In my area, I have:

• AT&T
• Comcast
• DSL Extreme
• Sonic.net, LLC

... and probably some others. Port 25 is mostly blocked by default, but various customer service options will permit port 25 access for all competitors. A little judicious Internet searching would have turned up answers in less than half an hour.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:1
reply to tomp

said by tomp :

Wow, I smell arrogance. I was not notified about the port change. I spent a significant amount of time wondering why what worked yesterday does not work today. Comcast wasted my time and has done so in many other situations. They have a monopoly in my area, we have lost choice in communications providers. Anti monopoly laws were put in place to maintain healthy competition that benefited consumers and promoted innovation. Those days are almost gone if we continue to tolerate this kind of behavior.

Well, you do have options. If there really is no competition in your area that will allow outbound TCP port 25, then absolutely, positively refuse to tolerate it:

Become your own ISP and run things the way you want to, or move to an area that has a service provider that will allow your use of outbound TCP port 25.


AnonMan

@comcast.net

I love people that say become your own ISP.

Too bad all the big companies have monopolized the states so much and lobbied for so many restrictions and laws it's almost impossible.

The only reason Google got to do it was they have deeper pockets.
When is the last time you really saw a new ISP start up much less expand far? ISP is a profitable business to run, no reason to not expand it but rules/laws make it hard. Stupid agreements may not allow competition or not allow one the same access as another etc.

The days of Dial-up are over and that is the days when everyone was becoming and ISP as all was restricted to the same rules. Today is a whole new game. Whoever has the deeper pockets will win. Heck even our presidency goes that way lol


efball

join:2010-08-31
Santa Rosa, CA

I do read my Comcast email, but I didn't get any notice.
When I signed up 2 years ago port 25 outbound was blocked, so I used port 587 and relayed thru comcast. That worked fine, but I was using port 25 inbound to receive mail for my domains, which stopped a couple days ago. Blocking port 25 inbound doesn't stop spam, they are doing this just because they can and they want to squeeze more money out of people. No way I'm upgrading to business class. I can buy a virtual server for $15/year and use that for my email server.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

said by efball:

Blocking port 25 inbound doesn't stop spam, they are doing this just because they can and they want to squeeze more money out of people. No way I'm upgrading to business class. I can buy a virtual server for $15/year and use that for my email server.

I believe the Comcast ToS prohibits servers on residential connections. Blocking inbound port 25 would effectively enforce that prohibition.

FWIW, my ISP, Sonic.net, blocks port 25, both outbound and inbound, on dynamic residential accounts. I have three static options:

• /32 for free.
• /30 for $10 a month extra.
• /29 for $20 a month extra.

I chose the /32.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


JohnInSJ
Premium
join:2003-09-22
San Jose, CA
reply to efball

said by efball:

I do read my Comcast email, but I didn't get any notice.
When I signed up 2 years ago port 25 outbound was blocked, so I used port 587 and relayed thru comcast. That worked fine, but I was using port 25 inbound to receive mail for my domains, which stopped a couple days ago. Blocking port 25 inbound doesn't stop spam, they are doing this just because they can and they want to squeeze more money out of people. No way I'm upgrading to business class. I can buy a virtual server for $15/year and use that for my email server.

Did you read the TOS/AUP two years ago? If so, then you knew what you were doing was not supported, and in fact not a valid use of residential service.
--
My place : »www.schettino.us


ArrayList
netbus developer
Premium
join:2005-03-19
Evanston, IL
reply to graysonf

wait a minute, they block the ability to connect to mail servers that are not even on their network via port 25? That is a standard smtp port. Comcast shouldn't be blocking it.