dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
13596
share rss forum feed


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to Demog

Re: Comcast decides to block port 25 IN and OUT with no notice.

said by Demog :

Boy if you have anything that will only work if port 25 is open, I'd scream at the OEM, not Comcast. Anything that needs port 25 is very old or was poorly designed/implemented.

I agree about the old or poorly designed/implemented statement. However, sometimes the OEM is Comcast, as in the Comcast branded Netgear WNR1000v2-VC which has custom Comcast firmware (and the firmware in the device below is the latest IPv6 firmware which was released after Comcast made the decision to block port 25 for residential accounts):



--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

Will that router connect to an stunnel listening on a LAN host on port 25 which forwards to smtp.comcast.net on port 465?



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by graysonf:

Will that router connect to an stunnel listening on a LAN host on port 25 which forwards to smtp.comcast.net on port 465?

Actually, I run a local email server, but this particular router seems to only use the WAN port for email notification and for NTP sync (at least that is my recollection from when I was using it as only an access point with no WAN connection for a while...but that was also several firmware revs ago). Also, this particular router is currently on an isolated VLAN with no IP connectivity to my LAN (although I do have an administrative backdoor link that could be activated and left live if necessary). Fortunately, I have a business class account and port 25 is not blocked for me, so it still works (for now) using port 25 over the WAN interface.

Thanks for the reminder/tip though, if I suddenly find that my dynamic IP business class has port 25 blocked, I will give the LAN email server IP a try again (maybe the current firmware supports it).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to ArrayList

said by ArrayList:

the server is not run on the business class connection. That alone says that you don't need business level service.

I have no idea what you're saying here. You aren't allowed to run any server on residential. Only an SMTP SERVER needs to send traffic on port 25. Therefore you need to be on business class to send traffic on port 25. QED
--
My place : »www.schettino.us

Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1
reply to pclover

Dont blame Comcast. Blame the millions of people too stupid to know that banner ad that says "Get a free iPad" is actually turning their computer into a bot.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to ArrayList

said by ArrayList:

wait a minute, they block the ability to connect to mail servers that are not even on their network via port 25? That is a standard smtp port. Comcast shouldn't be blocking it.

That is a standard "server-to-server" port. End users should be using the standard "user-to-server" port:

»tools.ietf.org/html/rfc6409
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 edit
reply to ArrayList

said by ArrayList:

said by NormanS:

OP wants to test an off-Comcast network SMTP server, and definitely should get a business-class account for that purpose.

really? a business class connection just to test if port 25 is working?

Yes, because port 25 is no longer a standard user port; hasn't really been since RFC 2476 was published in December, 1998.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


ArrayList
netbus developer
Premium
join:2005-03-19
Brighton, MA
Reviews:
·RCN CABLE
·Comcast
reply to JohnInSJ

said by JohnInSJ:

said by ArrayList:

the server is not run on the business class connection. That alone says that you don't need business level service.

I have no idea what you're saying here.

I don't run a server on my connection, why can't I open a tcp connection to a remote server over port 25 without paying more money for the privilege to do so? I really don't care either way. Spammers will spam regardless of what Comcast does.

AVonGauss
Premium
join:2007-11-01
Boynton Beach, FL

Blocking outbound 25/tcp significantly lowers the amount of e-mail spam coming from an ISP. If you run a mail server, it's very easy to tell who is blocking and who is not blocking based on the spam mail attempts.

I probably already said this in this thread, but Comcast should have done this years ago.



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

1 recommendation

reply to ArrayList

Get a free shell account on »www.cjb.net

Connect anywhere you want to destination port TCP 25.



JohnInSJ
Premium
join:2003-09-22
Aptos, CA

1 recommendation

reply to ArrayList

said by ArrayList:

said by JohnInSJ:

said by ArrayList:

the server is not run on the business class connection. That alone says that you don't need business level service.

I have no idea what you're saying here.

I don't run a server on my connection, why can't I open a tcp connection to a remote server over port 25 without paying more money for the privilege to do so? I really don't care either way. Spammers will spam regardless of what Comcast does.

Port 25 communications is reserved for servers. That's why.
--
My place : »www.schettino.us


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to ArrayList

said by ArrayList:

Spammers will spam regardless of what Comcast does.

Prior to 2002, when SBC blocked customer access to port 25, SBC residential hosts were the most prevalent spam source IP addresses in my server logs. Subsequent to the blocking, SBC residential hosts dropped to near last. While spammers continued to spam, they were much less successful at using compromised SBC residential customer hosts.

FWIW, SBC led Comcast until the blocks. After the SBC blocks, SBC dropped behind Comcast as a spam source. From which I deduced that blocking port 25 reduced the amount of abuse coming from SBC.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to pclover

For what little its worth I just noticed all of my SMTP is being blocked as well.

I have had my comcast account for 9 years thus far never with any problems incoming or outgoing and now can't even telnet out to test a SMTP server. I shouldn't be forced to have to use comcasts mail infrastructure if I don't want to and I sure as heck aint going to give them any more money to get it back.

While SMTP email is getting to be increasingly useless it is a wake up call for me with aggregation in the ISP market service providers increasingly get to get away with doing whatever the heck they want without fear of serious reprisal... as if paying >$110/month for service wasn't already enough.

Sadly I find myself yearning for ISP common carrier status. I think they've earned it.



dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to Kearnstd

said by Kearnstd:

Dont blame Comcast. Blame the millions of people too stupid to know that banner ad that says "Get a free iPad" is actually turning their computer into a bot.

I disagree with this characterization. Comcast has had systems in place to deal with this on a per-subscriber basis for quite some time now. The blanket blocking is new and orthogonal in my view.

AVonGauss
Premium
join:2007-11-01
Boynton Beach, FL
reply to dslcreature

Unless you're trying to run a mail server over your residential connection, you are not being forced to "use Comcast's mail infrastructure". If you want to use another e-mail provider, you simply need to use the submission port rather than the SMTP port to send messages through the mail provider of your choice.

If you are truly trying to test external SMTP server connectivity (which is not that common of a need), then you'll need to seek an alternate solution such as a VPS which can be had for $12 per year - or ultimately another ISP, though I would check first to make sure they haven't already blocked the port as well.



dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to AVonGauss

said by AVonGauss:

To imply or claim that this is a DOJ, FCC or even a Net neutrality matter is absolutely absurd, and that's the polite version. Should the NetBIOS series of ports be unblocked just in case someone wants to be able to allow for easier file sharing even though it has a proven track record of abuse, like SMTP?

HTTP has a proven track record for abuse. Its a common attack vector for phishing attacks responsible for the compromise of millions of systems.

To answer your question heck yes they should. If a subscriber wants them unblocked they should have that opportunity.

said by AVonGauss:

If you've chosen not to read information provided by your provider and have been caught off guard, who's fault is that really? Comcast should have done this 10 years ago, imho.

Nobody ever sent me anything.


dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to AVonGauss

said by AVonGauss:

Unless you're trying to run a mail server over your residential connection, you are not being forced to "use Comcast's mail infrastructure".

Yea well I can't send to port 25... this sounds like force to me.

said by AVonGauss:

If you want to use another e-mail provider, you simply need to use the submission port rather than the SMTP port to send messages through the mail provider of your choice.

Connection refused, any other ideas?

said by AVonGauss:

If you are truly trying to test external SMTP server connectivity (which is not that common of a need), then you'll need to seek an alternate solution such as a VPS which can be had for $12 per year - or ultimately another ISP, though I would check first to make sure they haven't already blocked the port as well.

Yea let me get right on paying even more money just so I can have Internet access. NOT.

AVonGauss
Premium
join:2007-11-01
Boynton Beach, FL

Maybe you should check with your e-mail provider to see if they have instructions for how to connect to their service to submit mail? If you tell us who your mail provider is maybe one of us has direct experience with them and can help you with the reconfiguration of your e-mail client.

You can be nasty and come up with all sorts of conspiracy theories on this one, but Comcast has been one of the last holdouts on allowing SMTP sending by residential connections and that day is fast passing. I can't speak for Comcast, but I doubt there is any great business or financial incentive for this change, its probably just more about being a good "netizen" and lowering the amount of abuse complaints.



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

2 edits
reply to dslcreature

said by dslcreature:

said by AVonGauss:

Unless you're trying to run a mail server over your residential connection, you are not being forced to "use Comcast's mail infrastructure".

Yea well I can't send to port 25... this sounds like force to me.

That is a broken record response; not reality. You can use whatever port that any mail submission server supports except for port 25 (and any properly configured mail submission server should give you several choices of ports to use).

Here are several examples that use port 587 to reach non-Comcast mail submission servers:

webhost:/ # telnet smtp.att.yahoo.com 587
Trying 98.138.31.74...
Connected to smtp.att.yahoo.com.
Escape character is '^]'.
220 smtp106.sbc.mail.ne1.yahoo.com ESMTP
quit
221 Service Closing transmission
Connection closed by foreign host.
 
webhost:/ # telnet outbound.att.net 587
Trying 68.142.198.51...
Connected to outbound.att.net.
Escape character is '^]'.
220 smtp107.sbc.mail.mud.yahoo.com ESMTP
quit
221 Service Closing transmission
Connection closed by foreign host.
 
webhost:/ # telnet smtp.live.com 587
Trying 65.55.96.11...
Connected to smtp.live.com.
Escape character is '^]'.
220 BLU0-SMTP459.phx.gbl Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Sun, 17 Mar 2013 19:39:55 -0700
quit
221 2.0.0 BLU0-SMTP459.phx.gbl Service closing transmission channel
Connection closed by foreign host.
 

said by dslcreature:

said by AVonGauss:

If you want to use another e-mail provider, you simply need to use the submission port rather than the SMTP port to send messages through the mail provider of your choice.

Connection refused, any other ideas?

How about checking with your mail submission server's admin to find out how to properly use their service? And FWIW, "Connection refused" is an authentication response, not a connectiblity response; either you are trying to use a mail submission server where you don't have a valid account, or you are not properly authenticating to that server.

I would have no problems (and in fact don't have any problems) sending email through the email servers shown in the above example; but I do have to properly authenticate with those servers in order to do so.

said by dslcreature:

said by AVonGauss:

If you are truly trying to test external SMTP server connectivity (which is not that common of a need), then you'll need to seek an alternate solution such as a VPS which can be had for $12 per year - or ultimately another ISP, though I would check first to make sure they haven't already blocked the port as well.

Yea let me get right on paying even more money just so I can have Internet access. NOT.

It seems to me that you currently do have Internet access. Not being allowed to use port 25 is the normal situation for residential Internet accounts with most ISPs; Comcast is just finally joining with the rest of the industry.

Life happens; get on with yours.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to AVonGauss

said by AVonGauss:

You can be nasty and come up with all sorts of conspiracy theories on this one, but Comcast has been one of the last holdouts on allowing SMTP sending by residential connections and that day is fast passing.

Excuse me? Nasty? Conspiracy theories?


dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to NetFixer

said by NetFixer:

That is a broken record response; not reality. You can use
whatever port that any mail submission server supports except for port 25

This does not help when the server I want to send is only listening on port 25.

said by NetFixer:

How about checking with your mail submission server's admin to find out how to properly use their service? And

FWIW, "Connection refused" is an authentication response, not a connectiblity response; either you are trying to use a mail submission server where you don't have a valid account, or you are not properly authenticating to that server.

It means what RFC 793 says it means.

said by NetFixer:

I would have no problems (and in fact don't have any problems) sending email through the email servers shown in the above example; but I do have to properly authenticate with those servers in order to do so.

It seems to me that you currently do have Internet access. Not being allowed to use port 25 is the normal situation for residential Internet accounts with most ISPs; Comcast is just finally joining with the rest of the industry.

Life happens; get on with yours.

I know of plenty ISPs not blocking outgoing 25. I will most likely be switching to one of them.

saratoga66

join:2002-08-22
Saratoga, CA

said by dslcreature:

I know of plenty ISPs not blocking outgoing 25. I will most likely be switching to one of them.

I think you should be looking for a new email provider not an ISP. Any email provider that doesn't allow any port other than 25 is probably in bad shape and will be going out of business soon.

As stated in this thread, most residential ISP's block port 25 and the ones that don't probably eventually will.

I connect to multiple email providers with my Comcast connection. I have not used port 25 in many years.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to dslcreature

said by dslcreature:

I know of plenty ISPs not blocking outgoing 25. I will most likely be switching to one of them.

Any of them on the national level?

Around here:

• AT&T: Blocks port 25 in/out on dynamic residential service.
• Comcast: Blocks port 25 (new) in/out on dynamic residential service.
• DSL Extreme: Blocks port 25 out (not sure about in) on dynamic residential service.
• Paxio: I don't know, but not widely available outside of the City of Santa Clara.
• Sonic.net, LLC: Blocks port 25 in/out on dynamic residential service.

All of the listed port 25 blocking ISPs prohibit running servers from dynamic residential service.

All of the listed port 25 blocking ISPs have a provision for unblocking; most for additional cost.

Since you are referring to the RFCs, know that the RFCs permit ISPs to take steps to mitigate abuse of their network. And one, in particular, addresses user message submission: RFC 6409.

And, yes, if you must have access to port 25, find yourself an ISP which permits it.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


dslcreature
Premium
join:2010-07-10
Seattle, WA

said by NormanS:

said by dslcreature:

I know of plenty ISPs not blocking outgoing 25. I will most likely be switching to one of them.

Since you are referring to the RFCs, know that the RFCs permit ISPs to take steps to mitigate abuse of their network. And one, in particular, addresses user message submission: RFC 6409.

And, yes, if you must have access to port 25, find yourself an ISP which permits it.

Thankfully was able to effectively bypass the port blocking so I will be sticking with comcast after-all. Here in city of rain we still have local choices.

RFCs are not enforceable nor are they grants of authority or legitimacy. While some may communicate best practices there is no "permit".

Email is teetering on the edge of uselessness. Totally insecure, untrusted, unreliable and as much spam as ever. Every well-intentioned measure imposed over the years just makes life more difficult for the user and solves nothing in the end. XMPP or solutions like it are the future.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

said by dslcreature:

RFCs are not enforceable nor are they grants of authority or legitimacy. While some may communicate best practices there is no "permit".

I suppose the same can be said for social courtesy. But Robert Anson Heinlein's Lazarus Long noted that:
quote:
Moving parts in rubbing contact require lubrication to avoid excessive wear. Honorifics and formal politeness provide lubrication where people rub together. Often the very young, the untraveled, the naive, the unsophisticated deplore these formalities as “empty,” “meaningless,” or “dishonest,” and scorn to use them. No matter how “pure” their motives, they thereby throw sand into machinery that does not work too well at best.

The RFCs are like oil on the moving parts in rubbing contact. To disregard the RFCs is to throw sand into the machinery.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


dslcreature
Premium
join:2010-07-10
Seattle, WA

said by NormanS:

said by dslcreature:

RFCs are not enforceable nor are they grants of authority or legitimacy. While some may communicate best practices there is no "permit".

I suppose the same can be said for social courtesy. But Robert

The RFCs are like oil on the moving parts in rubbing contact. To disregard the RFCs is to throw sand into the machinery.

Who used the word disregard? Hint it was not me. I pointed out the word "permit" is inaccurate in the context it was used.

The reality is most RFCs never see widespread adoption or even ever implemented. Legitimacy and value are driven by the marketplace.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

said by dslcreature:

The reality is most RFCs never see widespread adoption or even ever implemented. Legitimacy and value are driven by the marketplace.

Indeed; how would one implement RFC 2549?
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to dslcreature

said by dslcreature:

said by NetFixer:

That is a broken record response; not reality. You can use
whatever port that any mail submission server supports except for port 25

This does not help when the server I want to send is only listening on port 25.

In that case, you will need to find either an alternative mail submission server, or make a change in your ISP. I had to do that over a decade ago when my ISP BellSouth started blocking port 25, and their hosting service (I used BellSouth for both services at that time) only accepted mail submission on port 25. I dropped both services and went with Covad as my ISP, and I hosted my own email server.

said by dslcreature:

said by NetFixer:

How about checking with your mail submission server's admin to find out how to properly use their service? And

FWIW, "Connection refused" is an authentication response, not a connectiblity response; either you are trying to use a mail submission server where you don't have a valid account, or you are not properly authenticating to that server.

It means what RFC 793 says it means.

You must be connecting to (or trying to connect to) an interesting server, because the RFC you referenced says that the "Connection refused" reply is used when an already OPEN connection is reset.

Every connection attempt I make to multiple servers that do not support (or block) specific ports returns a "Connect failed" reply.

C:\>telnet fmailhost.isp.att.net 25
Connecting To fmailhost.isp.att.net...Could not open connection to the host, on port 25: Connect failed
 
C:\>telnet fmailhost.isp.att.net 587
Connecting To fmailhost.isp.att.net...Could not open connection to the host, on port 587: Connect failed
 
C:\>telnet mail.bellsouth.net 25
Connecting To mail.bellsouth.net...Could not open connection to the host, on port 25: Connect failed
 
C:\>telnet mail.bellsouth.net 587
Connecting To mail.bellsouth.net...Could not open connection to the host, on port 587: Connect failed
 
C:\>telnet smtp.dcs-net.net 25
Connecting To smtp.dcs-net.net...Could not open connection to the host, on port 25: Connect failed
 
C:\>telnet smtp.dcs-net.net 587
Connecting To smtp.dcs-net.net...Could not open connection to the host, on port 587: Connect failed
 

said by dslcreature:

said by NetFixer:

I would have no problems (and in fact don't have any problems) sending email through the email servers shown in the above example; but I do have to properly authenticate with those servers in order to do so.

It seems to me that you currently do have Internet access. Not being allowed to use port 25 is the normal situation for residential Internet accounts with most ISPs; Comcast is just finally joining with the rest of the industry.

Life happens; get on with yours.

I know of plenty ISPs not blocking outgoing 25. I will most likely be switching to one of them.

Yes, there are ISPs who do not block outgoing (or incoming) port 25 sessions. In fact, you can subscribe to ISP services from both AT&T and Comcast in this area that do not block port 25. Neither of my current business class Comcast or AT&T connections block port 25.

--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to dslcreature

said by dslcreature:

Thankfully was able to effectively bypass the port blocking so I will be sticking with comcast after-all. Here in city of rain we still have local choices.

Glad to hear that you found a solution. I think that many of us would like to know how you did that without using an alternate mail submission port. Did you change your email hosting service? Were you actually able to find someone at Comcast (especially during the weekend) with the authority and knowledge to be able lift the port 25 block from your account? Were you using a Microsoft email client with Microsoft's annoying tendency to revert the outgoing mail port to 25 despite what you set it to use?
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to NetFixer

said by NetFixer:

You must be connecting to (or trying to connect to) an interesting server, because the RFC you referenced says that the "Connection refused" reply is used when an already OPEN connection is reset.

Open in this context does not mean what you think it means. In TCP state machine transition to Established is what counts.

said by NetFixer:

Every connection attempt I make to multiple servers that do not support (or block) specific ports returns a "Connect failed" reply.

C:\>telnet fmailhost.isp.att.net 25
Connecting To fmailhost.isp.att.net...Could not open connection to the host, on port 25: Connect failed
 
C:\>telnet fmailhost.isp.att.net 587
Connecting To fmailhost.isp.att.net...Could not open connection to the host, on port 587: Connect failed
 
C:\>telnet mail.bellsouth.net 25
Connecting To mail.bellsouth.net...Could not open connection to the host, on port 25: Connect failed
 
C:\>telnet mail.bellsouth.net 587
Connecting To mail.bellsouth.net...Could not open connection to the host, on port 587: Connect failed
 
C:\>telnet smtp.dcs-net.net 25
Connecting To smtp.dcs-net.net...Could not open connection to the host, on port 25: Connect failed
 
C:\>telnet smtp.dcs-net.net 587
Connecting To smtp.dcs-net.net...Could not open connection to the host, on port 587: Connect failed
 

Often you will find firewalls drop incoming requests on unused ports and so the only feedback you are left with in this case is indisingushable from a timeout.