Welcome to the updated Slickdeals redesign beta. Learn more and give us feedback. Or, return to the classic view.

Search in
Forum Thread

Comcast is now blocking outbound connections with a source port of 25 on business circuits

phonic 2,753 April 12, 2013 at 03:48 PM
So a few of our customers just ran into this issue, and it seems to be spreading.

First, I will preface this with the fact that I understand that a few ISPs will, in the effort of blocking spam, block outbound traffic with a destination port of 25 on residential circuits. This way, if a home computer is compromised and becomes part of a botnet, it can't flood the Internet with spam. While there are pros and cons to this strategy, that isn't the situation I'm dealing with. Additionally, this is generally restricted to residential, and not business grade, Internet circuits.

A week or so ago, one of our customers, which run their own email server, decided to get a backup circuit setup in case their primary (FiOS) circuit went down. The only logical option was Comcast. They got a business circuit with a 5-block of static IPs. We attempted to set up one, which is going through a Sonicwall firewall, as the backup MX record. We immediately noticed that it wasn't working.

Our first though was Comcast was blocking port 25 (destination port) inbound, but tests showed that we could in fact receive traffic. We tested this on one of the extra IPs by using tcpdump on a box plugged right into the cable modem to see if inbound traffic was hitting port 25 - it was..

So we assumed a firewall rule was the issue, and spent quite some time troubleshooting that. Our initial review showed nothing wrong. Examining the firewall logs showed the traffic was matching the firewall and NAT rules. It even logged open TCP sessions based on the rule, so the traffic WAS hitting the firewall. The internal mail server was also showing an active connection, but nothing was getting back to the remote IP. Redirecting another port to 25 internally (ie: 1125->25) worked fine. We even escalated to Sonicwall, and they saw nothing wrong.

After eliminating the Sonicwall, we went back to the idea that the Comcast circuit was at fault. Based on what we knew, I figured the only way this would be the case was if Comcast was blocking outbound packets with a source port of 25. This, to me, seemed unlikely, as it was a stupid policy that made little sense, but it was the only logical cause I could think of. Then, all of a sudden yesterday, another one of our customers who use Comcast as a primary circuit couldn't receive email either. Exact same circumstances.

So today, I decided to run some tests of my own on-site, and confirmed that they are doing just that.

To clarify, a machine on the Comcast IP can send out to a destination port of 25 using any source port (outside of 25). A remote machine can send traffic to the Comcast IP with a destination port of 25 and a source port of anything (including 25) and the traffic gets through. But the Comcast IP can't respond to it, because the return traffic would have a source port of.....25.

This affects both responses from the port 25 service as well as random traffic initiating from 25 (which wouldn't normally happen unless you force it).

Now, again, this is stupid. If the purpose was to block spam, this does nothing. It doesn't prevent people from connecting out to port 25, and thus a spammer could still send out emails. If the purpose was to block email servers, they should block inbound traffic with a destination port of 25, this way the SYN packet never hits the customer's machine. But in this case it does, but the SYN/ACK never makes it back.

Also, as this is a business class circuit, they shouldn't be blocking anything.

The fact that the rule is ass backwards make me think that some engineer screwed up. But as I mentioned, this 'rule' seems to be spreading.

I haven't contacted Comcast yet about it since it's late on Friday and I have more important things to do then bang my head against the wall with a Tier 1 technician for hours, but I will be contacting them Monday.

Thought I would share in case anyone else runs into a similar problem.

35 Comments

1 2 3

Sign up for a Slickdeals account to remove this ad.

#2
Port

Transport

Protocol

Inbound/

Outbound

Reason for block

25

TCP

SMTP

Both

Port 25 is unsecured, and Botnet spammers can use it to send spam. This does not affect XFINITY Connect usage. We recommend configuring your email program to use port 465.

68

UDP

BOOTP, DHCP

Inbound

UDP Port 68, which is used to obtain dynamic Internet Protocol (IP) address information from our dynamic host configuration protocol (DHCP) server, is vulnerable to malicious hacks.

135-139

TCP/UDP

NetBios

Both

NetBios services allow file sharing over networks. When improperly configured, ports 135-139 can expose critical system files or give full file system access (run, delete, copy) to any malicious intruder connected to the network.

161-162 TCP/UDP SNMP Both SNMP is vulnerable to reflected amplification distributed denial of service (DDoS) attacks.
445

TCP

MS-DS, SMB

Both

Port 445 is vulnerable to attacks, exploits and malware such as the Sasser and Nimda worms.

520

TCP/UDP

RIP

Both

Port 520 is vulnerable to malicious route updates, which provides several attack possibilities.

1080

TCP

SOCKS

Inbound

Port 1080 is vulnerable to, among others, viruses, worms and DoS attacks.

http://customer.comcast.com/help-...-supported


Email is used for important communications and Comcast wants to ensure that these communications are both as secure and as private as possible. As such, Comcast does not support port 25 for the transmission of email by our residential Internet customers. Much of the current use of port 25 is by computers that have been infected by malware and are sending spam without the knowledge of the users of those computers.
Reply Helpful Comment? 0 0
CDI gave me free netflix!
2,753 Reputation
Original Poster
#3
Quote from boltman2007 View Post :
....
If you read my post, you would have seen that I already covered this.

They are not blocking outbound email. I can send out to destination port 25 all day long. They are blocking outbound traffic with a source port of 25. This doesn't block spam, as spam would use a destination port of 25. This also isn't the proper way to block email servers. All this does is break legitimate inbound email.

Additionally, your citation, which is horribly formatted by the way, covers sending email to an SMTP server from your Comcastic IP. That is not the issue here and is completely irrelevant.

When you send an email, your email server has to deliver it to the recipient's server. This occurs on port 25. As a recipient, you can't use custom ports, as you would never get email.

And, again, as a business customer, our customer is well within their rights to have an on-premise email server. They pay a premium for it over residential customers.

So, as I stated, this is a very bad implementation of a rule, a rule that shouldn't even exist on this level of circuit, by Comcast.
Reply Helpful Comment? 0 0
#4
Use the alternate Port 587.
Reply Helpful Comment? 0 0
CDI gave me free netflix!
2,753 Reputation
Original Poster
#5
Quote from boltman2007 View Post :
Use the alternate Port 587.
I can't tell whether you're trolling or just Censored.

In case it's the latter, once again I will attempt to be even more clear:

Public Internet email is ALWAYS delivered to an inbound email server using port 25. No exceptions. Not port 587. Not port 26. Port 25. No exceptions. There is no encryption, no authentication, no non-standard ports. It's unencrypted port 25 submission only. Period. The end.

As I said before, you are confusing a client sending email to an outbound email server with an outbound email server sending email to an inbound server.
Reply Helpful Comment? 0 0
#6
Quote from phonic View Post :
I can't tell whether you're trolling or just Censored.

In case it's the latter, once again I will attempt to be even more clear:

Public Internet email is ALWAYS delivered to an inbound email server using port 25. No exceptions. Not port 587. Not port 26. Port 25. No exceptions. There is no encryption, no authentication, no non-standard ports. It's unencrypted port 25 submission only. Period. The end.

As I said before, you are confusing a client sending email to an outbound email server with an outbound email server sending email to an inbound server.
I know about ports... LOL

Anyhow they just don't want you to set up an e-mail server... without paying them to unlock the port.

You can use their mail server (their email accounts) to send email, but if you have your own domain and mail server outside of their control, you can’t send email to it on normal port 25. You have to use port 587 which is authenticated (hopefully since you set it up) to send email to it and then that server will deliver it to the receiptant via port 25.
Reply Helpful Comment? 0 0
#7
Quote from phonic View Post :
I can't tell whether you're trolling or just Censored.

In case it's the latter, once again I will attempt to be even more clear:

Public Internet email is ALWAYS delivered to an inbound email server using port 25. No exceptions. Not port 587. Not port 26. Port 25. No exceptions. There is no encryption, no authentication, no non-standard ports. It's unencrypted port 25 submission only. Period. The end.

As I said before, you are confusing a client sending email to an outbound email server with an outbound email server sending email to an inbound server.
Did you call them? I have a feeling that someone messed something up when they did something (engineer prehaps).

Anyhow, there is a reason why Comcast = Comcrap. laugh out loud
Reply Helpful Comment? 0 0
CDI gave me free netflix!
2,753 Reputation
Original Poster
#8
Quote from boltman2007 View Post :
I know about ports... LOL

Anyhow they just don't want you to set up an e-mail server... without paying them to unlock the port.
You might know about ports, but you certainly don't understand how they work.

In any case, my post wasn't looking for advice. I was simply trying to pass along information that might be beneficial to people who manage email servers, use Comcast, and all of a sudden have issues receiving mail. One of our customers was affected by this earlier this week, and another yesterday.

Comcast does not charge a "mail server premium fee" to unblock a port. While they are certainly within their rights to block service ports on residential accounts, as they restrict this in their T&Cs, they already allow it on business class circuits which do pay a premium for it.

And, once again repeating myself, even if their goal was to block email servers, the proper way would have to block ingress traffic with a destination port of 25, not egress traffic with a source port of 25. So it is either some provisioning bug or a horrible implementation of some filtering policy.

Anyway, I'm done with this conversation.
Reply Helpful Comment? 0 0

Sign up for a Slickdeals account to remove this ad.

#9
Quote from phonic View Post :
You might know about ports, but you certainly don't understand how they work.

In any case, my post wasn't looking for advice. I was simply trying to pass along information that might be beneficial to people who manage email servers, use Comcast, and all of a sudden have issues receiving mail. One of our customers was affected by this earlier this week, and another yesterday.

Comcast does not charge a "mail server premium fee" to unblock a port. While they are certainly within their rights to block service ports on residential accounts, as they restrict this in their T&Cs, they already allow it on business class circuits which do pay a premium for it.

And, once again repeating myself, even if their goal was to block email servers, the proper way would have to block ingress traffic with a destination port of 25, not egress traffic with a source port of 25. So it is either some provisioning bug or a horrible implementation of some filtering policy.

Anyway, I'm done with this conversation.
Well thanks for the PSA... noted
Reply Helpful Comment? 0 0
CDI gave me free netflix!
2,753 Reputation
Original Poster
#10
Quote from daniel32 View Post :
Did you call them? I have a feeling that someone messed something up when they did something (engineer prehaps).

Anyhow, there is a reason why Comcast = Comcrap. laugh out loud
Not yet. It is going to be an exercise in futility trying to get anyone at Comcast on the phone who knows what I'm talking about, let alone can fix the problem. I can guarantee you I'm going to get someone who makes the same type of "helpful suggestions" as I've been dealing with here.

Plus, neither customer is 'down'. It was just a backup circuit for the first one, and the primary is operational and isn't blocked (thank you FiOS). For the second customer, this is their only circuit, but they are using MXLogic (which is a hosted platform) as their filtering system, which is the official MX server. As a result, I was able to alter the port that they use to deliver email to the client's server. And before anyone chimes in with a stupid comment, the email is being delivered to MXLogic on port 25.

I'll take some xanax Monday morning and give it a shot.
Reply Helpful Comment? 0 0
#11
Quote from phonic View Post :
Not yet. It is going to be an exercise in futility trying to get anyone at Comcast on the phone who knows what I'm talking about, let alone can fix the problem. I can guarantee you I'm going to get someone who makes the same type of "helpful suggestions" as I've been dealing with here.

Plus, neither customer is 'down'. It was just a backup circuit for the first one, and the primary is operational and isn't blocked (thank you FiOS). For the second customer, this is their only circuit, but they are using MXLogic (which is a hosted platform) as their filtering system, which is the official MX server. As a result, I was able to alter the port that they use to deliver email to the client's server. And before anyone chimes in with a stupid comment, the email is being delivered to MXLogic on port 25.

I'll take some xanax Monday morning and give it a shot.
Calling tech support is a pain (I hear you). Especially when you are into computer networks or IT yourself. LMAO
Reply Helpful Comment? 0 0
#12
While similar to information already posted here, this page gives information on port restrictions for their business class service (the earlier info was for consumer/home service): http://businesshelp.comcast.com/h...-internet/

Quote :
In very rare situations, port 25 will be blocked by Comcast Customer Security Assurance on a per customer basis (blocked at the modem) and not across the network. This block will be preceded by an email and letters to the billing address. In this case, you can use secured port 587 for sending email. Get instructions to configure your email client to send via a secured port.

If you are running a mail server please contact Comcast Customer Security Assurance at 1-877-807-6580 for more information on this block.

Port Transport Protocol How and why it's blocked
25 TCP SMTP
Inbound and outbound, not blocked by default.

We may apply a sending block, which does not interrupt Comcast webmail service. However, it will prevent email programs or clients (e.g., Outlook Express) from sending email.

An unsecured port that can be used to send spam.

Customers may be advised by our Security Assurance team to switch their modem connection to a secured port that requires authentication (such as port 587).
Hopefully the contact information on this page gets you to someone who knows their head from their ass faster than their typical support phone number. Best of luck with your comcastrophie.
Reply Helpful Comment? 0 0
#13
interesting to note that it's not blocked by default - so you should ask them when/why they started blocking it, and ask them to un-block when they start to stutter
Reply Helpful Comment? 0 0
#14
Nevermind
Reply Helpful Comment? 0 0
CDI gave me free netflix!
2,753 Reputation
Original Poster
#15
Quote from jkee View Post :
While similar to information already posted here, this page gives information on port restrictions for their business class service (the earlier info was for consumer/home service): http://businesshelp.comcast.com/h...-internet/


Hopefully the contact information on this page gets you to someone who knows their head from their ass faster than their typical support phone number. Best of luck with your comcastrophie.
Thanks for that info and contact number, I'll give that a try on Monday.

The content seems a bit contradictory though. The majority is referencing sending email, and yet there is a single part about running a mail server. Looking at the page you linked, it also only mentions a "sending block".

In the two cases I mentioned, port 25 outbound works fine, so it doesn't seem to make any sense. My money is on some engineer (or automated script) making a mistake.

Also, in these customers cases, I am positive they wouldn't have triggered any flags. The first customer never even used any of their Comcast IPs (new circuit) to send/receive email yet. The other customer was, but only through MXLogic, which means they wouldn't have been blacklisted even if there was a spam issue. And they certainly didn't receive any warning from Comcast.

Oh well.
Reply Helpful Comment? 0 0
Page 1 of 3
1 2 3
Join the Conversation
Add a Comment
 
Slickdeals Price Tracker
Saving money just got easier.
Start Tracking Today
Copyright 1999 - 2015. Slickdeals, LLC. All Rights Reserved. Copyright / DMCA Notice  •  Privacy Policy  •  Terms of Service  •  Acceptable Use Policy (Rules)