dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
107

jlivingood
Premium Member
join:2007-10-28
Philadelphia, PA

jlivingood to pclover

Premium Member

to pclover

Re: Comcast decides to block port 25 IN and OUT with no notice.

said by pclover:

I am using 587 and the problem is solved.

EDIT: I am going to contact the Customer Security Assurance and see if I can get it removed. I need port 25 as I do Remote IT.

If you switched to 587 and it works, why do you need to move back to port 25?

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

It's not a matter of not being able to connect to Comcast mail servers on port 25. It's that this policy makes it impossible to connect to any other mail server on port 25. Some people do have a legitimate need to do this.

pclover
join:2008-08-02
Santa Cruz, CA

pclover

Member

said by graysonf:

It's not a matter of not being able to connect to Comcast mail servers on port 25. It's that this policy makes it impossible to connect to any other mail server on port 25. Some people do have a legitimate need to do this.

They do like me but it's a very small percent. They said that they they will try and have the block removed but cannot guarantee that it will not be blocked again.

I think I am going to look into a business account.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

Another option would be to obtain a shell account, perhaps a freebie, on another network that does not block outbound port 25.

pclover
join:2008-08-02
Santa Cruz, CA

pclover

Member

said by graysonf:

Another option would be to obtain a shell account, perhaps a freebie, on another network that does not block outbound port 25.

I could do that. However, The VPS idea inside of the network wouldn't let me make sure it can be accessed outside of the network.

All email to email server communicates over port 25 AFIK for SMTP.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ

Premium Member

said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

And if you are running a server, you're using comcast business class with a static IP, and your port 25 is not blocked.

pclover
join:2008-08-02
Santa Cruz, CA

pclover

Member

said by JohnInSJ:

said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

And if you are running a server, you're using comcast business class with a static IP, and your port 25 is not blocked.

Why is it assumed that I am running a server? I need to to test to make sure an email server is working correctly!
biomesh
Premium Member
join:2006-07-08
Tomball, TX

biomesh

Premium Member

I don't see how running smtp tests from a residential connection are truly valid tests. What if the SMTP server had its own firewall or blacklist enabled for some of comcast's ip ranges. You should really be doing these tests from a datacenter level connection.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

said by biomesh:

I don't see how running smtp tests from a residential connection are truly valid tests. What if the SMTP server had its own firewall or blacklist enabled for some of comcast's ip ranges. You should really be doing these tests from a datacenter level connection.

One who is testing against such an SMTP server for legitimate reasons would be aware of those potential problems.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ to pclover

Premium Member

to pclover
said by pclover:

said by JohnInSJ:

said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

And if you are running a server, you're using comcast business class with a static IP, and your port 25 is not blocked.

Why is it assumed that I am running a server? I need to to test to make sure an email server is working correctly!

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

said by JohnInSJ:

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
 
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
 
Connection to host lost.
 
Does that qualify as a failure?

FWIW, the source IP address is not in a DUL. The generic form of the rDNS is: 173-228-7-21x.dsl.static.sonic.net, which Sonic.net will not submit to any DUL for obvious reasons. But my specific IP address will respond with, 'mxa.mydomain.tld'.

pclover
join:2008-08-02
Santa Cruz, CA

pclover

Member

said by NormanS:

said by JohnInSJ:

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
 
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
 
Connection to host lost.
 
Does that qualify as a failure?

FWIW, the source IP address is not in a DUL. The generic form of the rDNS is: 173-228-7-21x.dsl.static.sonic.net, which Sonic.net will not submit to any DUL for obvious reasons. But my specific IP address will respond with, 'mxa.mydomain.tld'.

This points out that mail.comcast.net is responding to port 25.

This is what I need!

I need to verify on new servers that Port 25 can be accessed outside of the local network.

Does me no good to use an alternate port as email servers communicate with other emails servers over port 25 and if that's not working SMTP will fail and the mail queue will start building.

I was quoted around 94$ a month for business phone and internet. Free install with 2 year agreement.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ to NormanS

Premium Member

to NormanS
said by NormanS:

Does that qualify as a failure?

Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.

And you not being able to reach an email server is (clearly) no indication of the health of the server. Why do you feel the need to do this from a residential account?

pclover
join:2008-08-02
Santa Cruz, CA

pclover

Member

said by JohnInSJ:

said by NormanS:

Does that qualify as a failure?

Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.

And you not being able to reach an email server is (clearly) no indication of the health of the server. Why do you feel the need to do this from a residential account?

To test for firewall rules etc.

Yes, Some servers WILL do that however you do have to abuse it.

Also this thread is getting pointless. No more replies are needed.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

1 edit

1 recommendation

NormanS to pclover

MVM

to pclover
said by pclover:

said by NormanS:

said by JohnInSJ:

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
 
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
 
Connection to host lost.
 

This points out that mail.comcast.net is responding to port 25.

No, sir; actually it does not. I was testing against an MX server to refute an argument about the response of an MX server. Nor is my result a failure. It is the wholly expected response of an SMTP server to the, "QUIT" command.

If I were to try the same to the Comcast message submission server, based on the Comcast pubs I would expect failure on port 25 (source IP address is not a Comcast IP address block) but success (to the "QUIT" command) on port 465.
C:\util\dig>telnet mail.comcast.net 25
Connecting To mail.comcast.net...Could not open connection to the host,
on port 25: Connect failed
 
NormanS

NormanS to JohnInSJ

MVM

to JohnInSJ
said by JohnInSJ:

said by NormanS:

Does that qualify as a failure?

Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.

And you claim to run a server! Or is the SMTP "QUIT" command not a proper response to the handshake?

And you not being able to reach an email server is (clearly) no indication of the health of the server.

How is my posted result a failure to reach the server? The server properly responded with its banner, and properly accepted the RFC-compliant SMTP "QUIT" command. If, instead of quit, I had responded with, "EHLO mxa.mydomain.tld", I would have received additional SMTP prompts. As long as I continued to respond to prompts with proper, and appropriate commands, I could have sent an email to any Comcast user whose '@comcast.net' email address I know.

Why do you feel the need to do this from a residential account?

Why do you even care? As long as I am operating within the terms of my ISP.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ

Premium Member

didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

said by JohnInSJ:

didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.

Whose rule? And how do you actually determine "residential"? I test for "DUL" on my server; "Dynamic User List".

Do you see the difference?

173-228-99-1x.dsl.dynamic.sonic.net
173-228-7-21x.dsl.static.sonic.net

The first is not allowed to run servers; indeed, port 25 will be blocked both directions.

The second is allowed to run servers, with port 25 access not blocked.

Upon receiving my static IP address assignment, I used the control to set my rDNS to 'mxa.mydomain.tld'.

So how should this work on my end?

Your MX: "Banner"
My MX: "EHLO mxa.mydomain.tld"
Your MX: "Pleased to meet you, mxa.mydomain.tld"
My MX: "MAIL FROM norman@mydomain.tld"
Your MX: "norman@mydomain.tld OK, SEND RCPTS"
My MX: "RCPT TO: you@yourdomain.tld"

And so on; why should you have a problem with that?

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to NormanS

Premium Member

to NormanS
said by NormanS:

No, sir; actually it does not. I was testing against an MX server to refute an argument about the response of an MX server. Nor is my result a failure. It is the wholly expected response of an SMTP server to the, "QUIT" command.

If I were to try the same to the Comcast message submission server, based on the Comcast pubs I would expect failure on port 25 (source IP address is not a Comcast IP address block) but success (to the "QUIT" command) on port 465.

C:\util\dig>telnet mail.comcast.net 25
Connecting To mail.comcast.net...Could not open connection to the host,
on port 25: Connect failed
 

Actually using port 25 or port 587 to mail.comcast.net is doomed even from a Comcast IP address:


webhost:/ # telnet mail.comcast.net 25
Trying 2001:558:fe2d:70::33...
telnet: connect to address 2001:558:fe2d:70::33: Permission denied
Trying 2001:558:fe14:70::33...
telnet: connect to address 2001:558:fe14:70::33: Permission denied
Trying 76.96.40.158...
^C
webhost:/ # telnet mail.comcast.net 587
Trying 2001:558:fe2d:70::33...
telnet: connect to address 2001:558:fe2d:70::33: Permission denied
Trying 2001:558:fe14:70::33...
telnet: connect to address 2001:558:fe14:70::33: Permission denied
Trying 76.96.40.158...
^C
 



If you want to access the Comcast residential mail submission server, you have to use smtp.comcast.net (and that doesn't work on port 25 any more even if you are doing it from a Comcast IP address on a Comcast Business Class account):


webhost:/ # telnet smtp.comcast.net 25
Trying 2001:558:fe14:70::30...
Connected to smtp.comcast.net.
Escape character is '^]'.
554 omta20.westchester.pa.mail.comcast.net comcast Port 25 not allowed - http://customer.comcast.com/help-and-support/in
ternet/email-client-programs-with-xfinity-email/
Connection closed by foreign host.
 
webhost:/ # telnet smtp.comcast.net 587
Trying 2001:558:fe14:70::30...
Connected to smtp.comcast.net.
Escape character is '^]'.
220 omta10.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 omta10.westchester.pa.mail.comcast.net comcast closing connection
Connection closed by foreign host.
 


OTOH, the Comcast Business Class mail submission server is still accessible using port 25:


webhost:/ # telnet smtp.po1.comcast.net 25
Trying 76.96.107.76...
Connected to smtp.po1.comcast.net.
Escape character is '^]'.
220 businessclass.comcast.net ESMTP mail service ready
quit
221 businessclass.comcast.net closing connection
Connection closed by foreign host.
 


JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ to NormanS

Premium Member

to NormanS
said by NormanS:

said by JohnInSJ:

didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.

Whose rule? And how do you actually determine "residential"? I test for "DUL" on my server; "Dynamic User List".

Comcast's rule, per the post title, is that they will block port 25 on residential accounts.

Am I in the wrong thread?

I frankly don't care at all, I am on business class with static IPs because the features and access I require are available with that service.

jap
Premium Member
join:2003-08-10
038xx

jap to pclover

Premium Member

to pclover
said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

It's the historically agreed upon default, yes, with 26 & 587 being widely observed alternates. I've been running my outbound mail through pobox.com's SMPT service since the late 1990s on 587.

Seems a lame faux-security move for Comcast to block a few single ports just because their the supposed registered port for some given function.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

said by jap:

Seems a lame faux-security move for Comcast to block 25.

It's not about security. It's about preventing direct MX which has been historically abused by spam bots running on compromised machines.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to JohnInSJ

MVM

to JohnInSJ
said by JohnInSJ:

Comcast's rule, per the post title, is that they will block port 25 on residential accounts.

Am I in the wrong thread?

No, but I was sucked away from the OPs concerns by my own obstinacy.

OP wants to test an off-Comcast network SMTP server, and definitely should get a business-class account for that purpose.
NormanS

NormanS to jap

MVM

to jap
said by jap:

Seems a lame faux-security move for Comcast to block a few single ports just because their the supposed registered port for some given function.

It isn't lame; it is quite effective. From my own SMTP logs, back in 2002 (when SBC implemented port 25 blocking), I saw SBC drop from being the single, largest U.S. source of spam attempts to my accounts to near dead last.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to jap

Premium Member

to jap
said by jap:

said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

It's the historically agreed upon default, yes, with 26 & 587 being long established alternates. I've been running my outbound mail through pobox.com's SMPT service since the late 1990s on 587.

Seems a lame faux-security move for Comcast to block 25.

You are confusing SMTP with Mail Submission; there is a big difference. SMTP always uses port 25, and no authentication is required. A properly configured mail submission server (which can use port 26, 587, 1025, or whatever port the server is setup for) on the other hand "should" require authentication. It is is the unauthenticated SMTP traffic that is the target for Comcast's port 25 block; a few improperly configured mail submission servers (that only allow the use of port 25) are simply collateral damage.

It is no more a "lame faux-security move" than the act of locking your doors, windows, and fence gates.

jap
Premium Member
join:2003-08-10
038xx

1 edit

jap

Premium Member

said by NetFixer:

You are confusing SMTP with Mail Submission...

Thank you for the explanation. It makes sense: submit to SMTP server on port xxx (commonly 25, 26, or 587) but SMTP serves into formal mail system always on 25.

Now if in 1990 we had made it globally legal to publicly execute spammers and the CEOs of the corps they worked for we would have saved billion$, countless hours of hell, and all just email each other directly. Ah well.

ArrayList
DevOps
Premium Member
join:2005-03-19
Mullica Hill, NJ

ArrayList to graysonf

Premium Member

to graysonf
wait a minute, they block the ability to connect to mail servers that are not even on their network via port 25? That is a standard smtp port. Comcast shouldn't be blocking it.
ArrayList

ArrayList to NormanS

Premium Member

to NormanS
said by NormanS:

OP wants to test an off-Comcast network SMTP server, and definitely should get a business-class account for that purpose.

really? a business class connection just to test if port 25 is working?

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf to ArrayList

MVM

to ArrayList
They do for residential service because it eliminates the ability to do direct MX, which is the method compromised machines use to send large volumes of spam.

Most ISPs do this on residential service.

ArrayList
DevOps
Premium Member
join:2005-03-19
Mullica Hill, NJ

ArrayList

Premium Member

most residential ip blocks are blacklisted from even exchanging mail with mail servers. I'm on business class right now. The IP address that I have now, I also had on residential. Port 25 has never been blocked for me to non-comcast email servers. Maybe I slipped through the cracks or something, but it is what it is.