dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12911
share rss forum feed


pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast

Comcast decides to block port 25 IN and OUT with no notice.

Comcast in my area decided to block port 25 IN and OUT so my SMTP would stop working without notice.

Any idea why this would occur with no notice?

»amibotted.comcast.net says All Clear

Comcast has already irked me and now they do this.


claydowns

join:2012-05-24
Ann Arbor, MI

1 recommendation

I believe port 25 has been published on their list of blocked ports at »customer.comcast.com/help-and-su···d-ports/

A quick search reveals a blog post about it from August 1st, 2012 on their blog »corporate.comcast.com/comcast-vo···-port-25 The post mentions a slow phase in of the block which probably explains why you're noticing it months after the fact.

From the first link it seems you just need to use one of the alternate SMTP ports. Hope that helps some...



pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast

1 edit

said by claydowns:

I believe port 25 has been published on their list of blocked ports at »customer.comcast.com/help-and-su···d-ports/

A quick search reveals a blog post about it from August 1st, 2012 on their blog »corporate.comcast.com/comcast-vo···-port-25 The post mentions a slow phase in of the block which probably explains why you're noticing it months after the fact.

From the first link it seems you just need to use one of the alternate SMTP ports. Hope that helps some...

Thanks for that. I guess Comcast is going to fully block port 25. I thought before they were going to allow it to be open and then block it if they got an abuse complaint.

I am using 587 and the problem is solved.

EDIT: I am going to contact the Customer Security Assurance and see if I can get it removed. I need port 25 as I do Remote IT.

Oedipus

join:2005-05-09
kudos:1

1 recommendation

Not quite sure what you do in "remote IT" () that requires port 25, but as soon as you tell Comcast that they will come right back and either say a.) tough cookies, or b.) get a business class connection.



pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast

said by Oedipus:

Not quite sure what you do in "remote IT" () that requires port 25, but as soon as you tell Comcast that they will come right back and either say a.) tough cookies, or b.) get a business class connection.

That blog post says "Upon request to our Customer Security Assurance team this block can be removed, enabling access to use port 25 for other email domains"

I need port 25 open to test to make sure the mail servers will accept a connection on it via telnet. If all servers blocked port 25 email would cease to function.

AVonGauss
Premium
join:2007-11-01
Boynton Beach, FL

No, but it is very common for ISPs to require their subscribers to go through their own mail servers or use an alternate port that typically requires authentication to contact remote SMTP servers. This really isn't something new.

As was already mentioned, a business connection from Comcast does not have this restriction or a remote intermediary host or VPS can be used to perform the required tests.



pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast

said by AVonGauss:

No, but it is very common for ISPs to require their subscribers to go through their own mail servers or use an alternate port that typically requires authentication to contact remote SMTP servers. This really isn't something new.

As was already mentioned, a business connection from Comcast does not have this restriction or a remote intermediary host or VPS can be used to perform the required tests.

I can do that. I am going to contact them and see what they say tomorrow. It says in the blog post that they will but we will see.


JohnInSJ
Premium
join:2003-09-22
San Jose, CA
reply to pclover

said by pclover:

Comcast in my area decided to block port 25 IN and OUT so my SMTP would stop working without notice.

Any idea why this would occur with no notice?

»amibotted.comcast.net says All Clear

Comcast has already irked me and now they do this.

Because you're not on a business class account with static IP addresses? That is the only class of service that specifically allows servers, and specifically indicates no ports are blocks.
--
My place : »www.schettino.us

dniksich

join:2012-05-23
Gary, IN
reply to pclover

I received this email about it, is it what you're talking about?

Dear Valued XFINITY® Internet Customer,

We care about your email security when using our network. On August 1, Comcast announced that for security reasons we will no longer support the use of port 25 for sending email from programs like Outlook or Apple Mail. It appears that one or more computers connected to your Internet account are using port 25 to send email. A port is a connection through which information flows from a program on your computer, from another computer in a network, or to your computer from the Internet, Port 25 is an unsecured port, and it is increasingly used to send spam emails through malicious computer programs called malware. These spam emails are usually sent by computers that have been infected by viruses, and as a result, most users are unaware that their computers are sending spam. By no longer supporting port 25 to send e-mail, this will help prevent your computer from sending spam without your knowledge.

What You Need To Do:

We are asking you and other impacted customers to change your email program settings to port 465, which provides more security. You will be unable to send email over port 25 once it is disabled, and you will need to update your settings to port 465 in order to continue to send email. Please click the link below for your current email software and follow the step-by-step instructions to change your settings.



jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2
reply to pclover

said by pclover:

I am using 587 and the problem is solved.

EDIT: I am going to contact the Customer Security Assurance and see if I can get it removed. I need port 25 as I do Remote IT.

If you switched to 587 and it works, why do you need to move back to port 25?
--
JL
Comcast


flwpwr

@comcast.net
reply to pclover

it was in the bill mailers, I am pretty sure I have seen it here, it was notified you just ignored it or did not pay attention. So you learned the hard way like most things in life.



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:1
reply to jlivingood

It's not a matter of not being able to connect to Comcast mail servers on port 25. It's that this policy makes it impossible to connect to any other mail server on port 25. Some people do have a legitimate need to do this.



pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast

said by graysonf:

It's not a matter of not being able to connect to Comcast mail servers on port 25. It's that this policy makes it impossible to connect to any other mail server on port 25. Some people do have a legitimate need to do this.

They do like me but it's a very small percent. They said that they they will try and have the block removed but cannot guarantee that it will not be blocked again.

I think I am going to look into a business account.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:1

Another option would be to obtain a shell account, perhaps a freebie, on another network that does not block outbound port 25.



pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast

said by graysonf:

Another option would be to obtain a shell account, perhaps a freebie, on another network that does not block outbound port 25.

I could do that. However, The VPS idea inside of the network wouldn't let me make sure it can be accessed outside of the network.

All email to email server communicates over port 25 AFIK for SMTP.


JohnInSJ
Premium
join:2003-09-22
San Jose, CA

said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

And if you are running a server, you're using comcast business class with a static IP, and your port 25 is not blocked.
--
My place : »www.schettino.us


pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast

said by JohnInSJ:

said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

And if you are running a server, you're using comcast business class with a static IP, and your port 25 is not blocked.

Why is it assumed that I am running a server? I need to to test to make sure an email server is working correctly!

biomesh
Premium
join:2006-07-08
Tomball, TX

I don't see how running smtp tests from a residential connection are truly valid tests. What if the SMTP server had its own firewall or blacklist enabled for some of comcast's ip ranges. You should really be doing these tests from a datacenter level connection.



workablob

join:2004-06-09
Houston, TX
kudos:2
Reviews:
·Comcast
reply to pclover

said by pclover:

Comcast in my area decided to block port 25 IN and OUT so my SMTP would stop working without notice.

Any idea why this would occur with no notice?

»amibotted.comcast.net says All Clear

Comcast has already irked me and now they do this.

Comcast began blocking 25 for me a few years ago so I had to configure my Exchange server to use Port 587.

Also, since many recipient's mail system rejects sources that are DHCP I use a smart connector pointing to Comcast SMTP for sending.

Dave
--
I may have been born yesterday. But it wasn't at night.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:1
reply to biomesh

said by biomesh:

I don't see how running smtp tests from a residential connection are truly valid tests. What if the SMTP server had its own firewall or blacklist enabled for some of comcast's ip ranges. You should really be doing these tests from a datacenter level connection.

One who is testing against such an SMTP server for legitimate reasons would be aware of those potential problems.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
reply to pclover

said by pclover:

Comcast in my area decided to block port 25 IN and OUT so my SMTP would stop working without notice.

Without notice? From other sources it appears that Comcast gave as much notice as SBC did when they implemented their port 25 embargo in 2002; I still have that e-mail announcement.

My current ISP blocks port 25 in both directions on DHCP accounts. They offer static IP accounts with no port 25 block. As others have suggested, a Comcast business account will give you port 25 access.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


JohnInSJ
Premium
join:2003-09-22
San Jose, CA
reply to pclover

said by pclover:

said by JohnInSJ:

said by pclover:

All email to email server communicates over port 25 AFIK for SMTP.

And if you are running a server, you're using comcast business class with a static IP, and your port 25 is not blocked.

Why is it assumed that I am running a server? I need to to test to make sure an email server is working correctly!

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?
--
My place : »www.schettino.us


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

said by JohnInSJ:

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
 
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
 
Connection to host lost.
 
Does that qualify as a failure?

FWIW, the source IP address is not in a DUL. The generic form of the rDNS is: 173-228-7-21x.dsl.static.sonic.net, which Sonic.net will not submit to any DUL for obvious reasons. But my specific IP address will respond with, 'mxa.mydomain.tld'.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast

said by NormanS:

said by JohnInSJ:

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
 
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
 
Connection to host lost.
 
Does that qualify as a failure?

FWIW, the source IP address is not in a DUL. The generic form of the rDNS is: 173-228-7-21x.dsl.static.sonic.net, which Sonic.net will not submit to any DUL for obvious reasons. But my specific IP address will respond with, 'mxa.mydomain.tld'.

This points out that mail.comcast.net is responding to port 25.

This is what I need!

I need to verify on new servers that Port 25 can be accessed outside of the local network.

Does me no good to use an alternate port as email servers communicate with other emails servers over port 25 and if that's not working SMTP will fail and the mail queue will start building.

I was quoted around 94$ a month for business phone and internet. Free install with 2 year agreement.


JohnInSJ
Premium
join:2003-09-22
San Jose, CA
reply to NormanS

said by NormanS:

Does that qualify as a failure?

Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.

And you not being able to reach an email server is (clearly) no indication of the health of the server. Why do you feel the need to do this from a residential account?
--
My place : »www.schettino.us


pclover

join:2008-08-02
Santa Cruz, CA
Reviews:
·Comcast

said by JohnInSJ:

said by NormanS:

Does that qualify as a failure?

Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.

And you not being able to reach an email server is (clearly) no indication of the health of the server. Why do you feel the need to do this from a residential account?

To test for firewall rules etc.

Yes, Some servers WILL do that however you do have to abuse it.

Also this thread is getting pointless. No more replies are needed.


jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
reply to pclover

Hmmmm...wonder if I missed the email? I have not noticed it here(the email notice) but just the same I quit using port 25 years ago. I even have port 25 blocked at my router to help prevent it's usage from unexpected spam bots.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

1 edit

1 recommendation

reply to pclover

said by pclover:

said by NormanS:

said by JohnInSJ:

You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?

Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
 
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
 
Connection to host lost.
 

This points out that mail.comcast.net is responding to port 25.

No, sir; actually it does not. I was testing against an MX server to refute an argument about the response of an MX server. Nor is my result a failure. It is the wholly expected response of an SMTP server to the, "QUIT" command.

If I were to try the same to the Comcast message submission server, based on the Comcast pubs I would expect failure on port 25 (source IP address is not a Comcast IP address block) but success (to the "QUIT" command) on port 465.
C:\util\dig>telnet mail.comcast.net 25
Connecting To mail.comcast.net...Could not open connection to the host,
on port 25: Connect failed
 

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
reply to JohnInSJ

said by JohnInSJ:

said by NormanS:

Does that qualify as a failure?

Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.

And you claim to run a server! Or is the SMTP "QUIT" command not a proper response to the handshake?

And you not being able to reach an email server is (clearly) no indication of the health of the server.

How is my posted result a failure to reach the server? The server properly responded with its banner, and properly accepted the RFC-compliant SMTP "QUIT" command. If, instead of quit, I had responded with, "EHLO mxa.mydomain.tld", I would have received additional SMTP prompts. As long as I continued to respond to prompts with proper, and appropriate commands, I could have sent an email to any Comcast user whose '@comcast.net' email address I know.

Why do you feel the need to do this from a residential account?

Why do you even care? As long as I am operating within the terms of my ISP.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


JohnInSJ
Premium
join:2003-09-22
San Jose, CA

didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.
--
My place : »www.schettino.us