dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
24
share rss forum feed


JohnInSJ
Premium
join:2003-09-22
San Jose, CA
reply to pclover

Re: Comcast decides to block port 25 IN and OUT with no notice.

said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

And if you are running a server, you're using comcast business class with a static IP, and your port 25 is not blocked.
--
My place : »www.schettino.us


pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast

said by JohnInSJ:

said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

And if you are running a server, you're using comcast business class with a static IP, and your port 25 is not blocked.

Why is it assumed that I am running a server? I need to to test to make sure an email server is working correctly!

biomesh
Premium
join:2006-07-08
Tomball, TX

I don't see how running smtp tests from a residential connection are truly valid tests. What if the SMTP server had its own firewall or blacklist enabled for some of comcast's ip ranges. You should really be doing these tests from a datacenter level connection.



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

said by biomesh:

I don't see how running smtp tests from a residential connection are truly valid tests. What if the SMTP server had its own firewall or blacklist enabled for some of comcast's ip ranges. You should really be doing these tests from a datacenter level connection.

One who is testing against such an SMTP server for legitimate reasons would be aware of those potential problems.


JohnInSJ
Premium
join:2003-09-22
San Jose, CA
reply to pclover

said by pclover:

said by JohnInSJ:

said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

And if you are running a server, you're using comcast business class with a static IP, and your port 25 is not blocked.

Why is it assumed that I am running a server? I need to to test to make sure an email server is working correctly!

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?
--
My place : »www.schettino.us


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

said by JohnInSJ:

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
 
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
 
Connection to host lost.
 
Does that qualify as a failure?

FWIW, the source IP address is not in a DUL. The generic form of the rDNS is: 173-228-7-21x.dsl.static.sonic.net, which Sonic.net will not submit to any DUL for obvious reasons. But my specific IP address will respond with, 'mxa.mydomain.tld'.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast

said by NormanS:

said by JohnInSJ:

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
 
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
 
Connection to host lost.
 
Does that qualify as a failure?

FWIW, the source IP address is not in a DUL. The generic form of the rDNS is: 173-228-7-21x.dsl.static.sonic.net, which Sonic.net will not submit to any DUL for obvious reasons. But my specific IP address will respond with, 'mxa.mydomain.tld'.

This points out that mail.comcast.net is responding to port 25.

This is what I need!

I need to verify on new servers that Port 25 can be accessed outside of the local network.

Does me no good to use an alternate port as email servers communicate with other emails servers over port 25 and if that's not working SMTP will fail and the mail queue will start building.

I was quoted around 94$ a month for business phone and internet. Free install with 2 year agreement.


JohnInSJ
Premium
join:2003-09-22
San Jose, CA
reply to NormanS

said by NormanS:

Does that qualify as a failure?

Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.

And you not being able to reach an email server is (clearly) no indication of the health of the server. Why do you feel the need to do this from a residential account?
--
My place : »www.schettino.us


pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast

said by JohnInSJ:

said by NormanS:

Does that qualify as a failure?

Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.

And you not being able to reach an email server is (clearly) no indication of the health of the server. Why do you feel the need to do this from a residential account?

To test for firewall rules etc.

Yes, Some servers WILL do that however you do have to abuse it.

Also this thread is getting pointless. No more replies are needed.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 edit

1 recommendation

reply to pclover

said by pclover:

said by NormanS:

said by JohnInSJ:

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
 
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
 
Connection to host lost.
 

This points out that mail.comcast.net is responding to port 25.

No, sir; actually it does not. I was testing against an MX server to refute an argument about the response of an MX server. Nor is my result a failure. It is the wholly expected response of an SMTP server to the, "QUIT" command.

If I were to try the same to the Comcast message submission server, based on the Comcast pubs I would expect failure on port 25 (source IP address is not a Comcast IP address block) but success (to the "QUIT" command) on port 465.
C:\util\dig>telnet mail.comcast.net 25
Connecting To mail.comcast.net...Could not open connection to the host,
on port 25: Connect failed
 

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to JohnInSJ

said by JohnInSJ:

said by NormanS:

Does that qualify as a failure?

Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.

And you claim to run a server! Or is the SMTP "QUIT" command not a proper response to the handshake?

And you not being able to reach an email server is (clearly) no indication of the health of the server.

How is my posted result a failure to reach the server? The server properly responded with its banner, and properly accepted the RFC-compliant SMTP "QUIT" command. If, instead of quit, I had responded with, "EHLO mxa.mydomain.tld", I would have received additional SMTP prompts. As long as I continued to respond to prompts with proper, and appropriate commands, I could have sent an email to any Comcast user whose '@comcast.net' email address I know.

Why do you feel the need to do this from a residential account?

Why do you even care? As long as I am operating within the terms of my ISP.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


JohnInSJ
Premium
join:2003-09-22
San Jose, CA

didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.
--
My place : »www.schettino.us



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

said by JohnInSJ:

didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.

Whose rule? And how do you actually determine "residential"? I test for "DUL" on my server; "Dynamic User List".

Do you see the difference?

173-228-99-1x.dsl.dynamic.sonic.net
173-228-7-21x.dsl.static.sonic.net

The first is not allowed to run servers; indeed, port 25 will be blocked both directions.

The second is allowed to run servers, with port 25 access not blocked.

Upon receiving my static IP address assignment, I used the control to set my rDNS to 'mxa.mydomain.tld'.

So how should this work on my end?

Your MX: "Banner"
My MX: "EHLO mxa.mydomain.tld"
Your MX: "Pleased to meet you, mxa.mydomain.tld"
My MX: "MAIL FROM norman@mydomain.tld"
Your MX: "norman@mydomain.tld OK, SEND RCPTS"
My MX: "RCPT TO: you@yourdomain.tld"

And so on; why should you have a problem with that?
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
·Comcast
reply to NormanS

said by NormanS:

No, sir; actually it does not. I was testing against an MX server to refute an argument about the response of an MX server. Nor is my result a failure. It is the wholly expected response of an SMTP server to the, "QUIT" command.

If I were to try the same to the Comcast message submission server, based on the Comcast pubs I would expect failure on port 25 (source IP address is not a Comcast IP address block) but success (to the "QUIT" command) on port 465.

C:\util\dig>telnet mail.comcast.net 25
Connecting To mail.comcast.net...Could not open connection to the host,
on port 25: Connect failed
 

Actually using port 25 or port 587 to mail.comcast.net is doomed even from a Comcast IP address:


webhost:/ # telnet mail.comcast.net 25
Trying 2001:558:fe2d:70::33...
telnet: connect to address 2001:558:fe2d:70::33: Permission denied
Trying 2001:558:fe14:70::33...
telnet: connect to address 2001:558:fe14:70::33: Permission denied
Trying 76.96.40.158...
^C
webhost:/ # telnet mail.comcast.net 587
Trying 2001:558:fe2d:70::33...
telnet: connect to address 2001:558:fe2d:70::33: Permission denied
Trying 2001:558:fe14:70::33...
telnet: connect to address 2001:558:fe14:70::33: Permission denied
Trying 76.96.40.158...
^C
 



If you want to access the Comcast residential mail submission server, you have to use smtp.comcast.net (and that doesn't work on port 25 any more even if you are doing it from a Comcast IP address on a Comcast Business Class account):


webhost:/ # telnet smtp.comcast.net 25
Trying 2001:558:fe14:70::30...
Connected to smtp.comcast.net.
Escape character is '^]'.
554 omta20.westchester.pa.mail.comcast.net comcast Port 25 not allowed - http://customer.comcast.com/help-and-support/in
ternet/email-client-programs-with-xfinity-email/
Connection closed by foreign host.
 
webhost:/ # telnet smtp.comcast.net 587
Trying 2001:558:fe14:70::30...
Connected to smtp.comcast.net.
Escape character is '^]'.
220 omta10.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 omta10.westchester.pa.mail.comcast.net comcast closing connection
Connection closed by foreign host.
 


OTOH, the Comcast Business Class mail submission server is still accessible using port 25:


webhost:/ # telnet smtp.po1.comcast.net 25
Trying 76.96.107.76...
Connected to smtp.po1.comcast.net.
Escape character is '^]'.
220 businessclass.comcast.net ESMTP mail service ready
quit
221 businessclass.comcast.net closing connection
Connection closed by foreign host.
 



--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


JohnInSJ
Premium
join:2003-09-22
San Jose, CA
reply to NormanS

said by NormanS:

said by JohnInSJ:

didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.

Whose rule? And how do you actually determine "residential"? I test for "DUL" on my server; "Dynamic User List".

Comcast's rule, per the post title, is that they will block port 25 on residential accounts.

Am I in the wrong thread?

I frankly don't care at all, I am on business class with static IPs because the features and access I require are available with that service.
--
My place : »www.schettino.us


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

said by JohnInSJ:

Comcast's rule, per the post title, is that they will block port 25 on residential accounts.

Am I in the wrong thread?

No, but I was sucked away from the OPs concerns by my own obstinacy.

OP wants to test an off-Comcast network SMTP server, and definitely should get a business-class account for that purpose.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


ArrayList
netbus developer
Premium
join:2005-03-19
Evanston, IL
Reviews:
·Comcast

said by NormanS:

OP wants to test an off-Comcast network SMTP server, and definitely should get a business-class account for that purpose.

really? a business class connection just to test if port 25 is working?


JohnInSJ
Premium
join:2003-09-22
San Jose, CA

said by ArrayList:

said by NormanS:

OP wants to test an off-Comcast network SMTP server, and definitely should get a business-class account for that purpose.

really? a business class connection just to test if port 25 is working?

Why does a residential user need to "test if port 25 is working" on a server they don't run?
--
My place : »www.schettino.us


ArrayList
netbus developer
Premium
join:2005-03-19
Evanston, IL

the server is not run on the business class connection. That alone says that you don't need business level service.



JohnInSJ
Premium
join:2003-09-22
San Jose, CA

said by ArrayList:

the server is not run on the business class connection. That alone says that you don't need business level service.

I have no idea what you're saying here. You aren't allowed to run any server on residential. Only an SMTP SERVER needs to send traffic on port 25. Therefore you need to be on business class to send traffic on port 25. QED
--
My place : »www.schettino.us


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 edit
reply to ArrayList

said by ArrayList:

said by NormanS:

OP wants to test an off-Comcast network SMTP server, and definitely should get a business-class account for that purpose.

really? a business class connection just to test if port 25 is working?

Yes, because port 25 is no longer a standard user port; hasn't really been since RFC 2476 was published in December, 1998.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


ArrayList
netbus developer
Premium
join:2005-03-19
Evanston, IL
Reviews:
·Comcast
reply to JohnInSJ

said by JohnInSJ:

said by ArrayList:

the server is not run on the business class connection. That alone says that you don't need business level service.

I have no idea what you're saying here.

I don't run a server on my connection, why can't I open a tcp connection to a remote server over port 25 without paying more money for the privilege to do so? I really don't care either way. Spammers will spam regardless of what Comcast does.

AVonGauss
Premium
join:2007-11-01
Boynton Beach, FL

Blocking outbound 25/tcp significantly lowers the amount of e-mail spam coming from an ISP. If you run a mail server, it's very easy to tell who is blocking and who is not blocking based on the spam mail attempts.

I probably already said this in this thread, but Comcast should have done this years ago.



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

1 recommendation

reply to ArrayList

Get a free shell account on »www.cjb.net

Connect anywhere you want to destination port TCP 25.



JohnInSJ
Premium
join:2003-09-22
San Jose, CA

1 recommendation

reply to ArrayList

said by ArrayList:

said by JohnInSJ:

said by ArrayList:

the server is not run on the business class connection. That alone says that you don't need business level service.

I have no idea what you're saying here.

I don't run a server on my connection, why can't I open a tcp connection to a remote server over port 25 without paying more money for the privilege to do so? I really don't care either way. Spammers will spam regardless of what Comcast does.

Port 25 communications is reserved for servers. That's why.
--
My place : »www.schettino.us


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to ArrayList

said by ArrayList:

Spammers will spam regardless of what Comcast does.

Prior to 2002, when SBC blocked customer access to port 25, SBC residential hosts were the most prevalent spam source IP addresses in my server logs. Subsequent to the blocking, SBC residential hosts dropped to near last. While spammers continued to spam, they were much less successful at using compromised SBC residential customer hosts.

FWIW, SBC led Comcast until the blocks. After the SBC blocks, SBC dropped behind Comcast as a spam source. From which I deduced that blocking port 25 reduced the amount of abuse coming from SBC.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum