Comcast is now blocking outbound connections with a source port of 25 on business circuits
First, I will preface this with the fact that I understand that a few ISPs will, in the effort of blocking spam, block outbound traffic with a destination port of 25 on residential circuits. This way, if a home computer is compromised and becomes part of a botnet, it can't flood the Internet with spam. While there are pros and cons to this strategy, that isn't the situation I'm dealing with. Additionally, this is generally restricted to residential, and not business grade, Internet circuits.
A week or so ago, one of our customers, which run their own email server, decided to get a backup circuit setup in case their primary (FiOS) circuit went down. The only logical option was Comcast. They got a business circuit with a 5-block of static IPs. We attempted to set up one, which is going through a Sonicwall firewall, as the backup MX record. We immediately noticed that it wasn't working.
Our first though was Comcast was blocking port 25 (destination port) inbound, but tests showed that we could in fact receive traffic. We tested this on one of the extra IPs by using tcpdump on a box plugged right into the cable modem to see if inbound traffic was hitting port 25 - it was..
So we assumed a firewall rule was the issue, and spent quite some time troubleshooting that. Our initial review showed nothing wrong. Examining the firewall logs showed the traffic was matching the firewall and NAT rules. It even logged open TCP sessions based on the rule, so the traffic WAS hitting the firewall. The internal mail server was also showing an active connection, but nothing was getting back to the remote IP. Redirecting another port to 25 internally (ie: 1125->25) worked fine. We even escalated to Sonicwall, and they saw nothing wrong.
After eliminating the Sonicwall, we went back to the idea that the Comcast circuit was at fault. Based on what we knew, I figured the only way this would be the case was if Comcast was blocking outbound packets with a source port of 25. This, to me, seemed unlikely, as it was a stupid policy that made little sense, but it was the only logical cause I could think of. Then, all of a sudden yesterday, another one of our customers who use Comcast as a primary circuit couldn't receive email either. Exact same circumstances.
So today, I decided to run some tests of my own on-site, and confirmed that they are doing just that.
To clarify, a machine on the Comcast IP can send out to a destination port of 25 using any source port (outside of 25). A remote machine can send traffic to the Comcast IP with a destination port of 25 and a source port of anything (including 25) and the traffic gets through. But the Comcast IP can't respond to it, because the return traffic would have a source port of.....25.
This affects both responses from the port 25 service as well as random traffic initiating from 25 (which wouldn't normally happen unless you force it).
Now, again, this is stupid. If the purpose was to block spam, this does nothing. It doesn't prevent people from connecting out to port 25, and thus a spammer could still send out emails. If the purpose was to block email servers, they should block inbound traffic with a destination port of 25, this way the SYN packet never hits the customer's machine. But in this case it does, but the SYN/ACK never makes it back.
Also, as this is a business class circuit, they shouldn't be blocking anything.
The fact that the rule is ass backwards make me think that some engineer screwed up. But as I mentioned, this 'rule' seems to be spreading.
I haven't contacted Comcast yet about it since it's late on Friday and I have more important things to do then bang my head against the wall with a Tier 1 technician for hours, but I will be contacting them Monday.
Thought I would share in case anyone else runs into a similar problem.