Knowledgebase : Email

Comcast Xfinity to Block Port 25

As part of a lengthy and technical blog post about internet security on August 1 of this year, Comcast Voices mentioned that they’d be phasing out support for Port 25 as an option for customers’ outgoing email server (SMTP). The post, which few people likely ever saw, didn’t exactly convey a sense of urgency, but did link to another post written the same day, explaining specifically why Comcast Xfinity would soon be blocking of Port 25 (emphasis mine):

Over the past few years, Comcast has managed port 25 by selectively blocking its use in response to spam complaints. This made sense when spam was often sent by an end-user clicking a “send” button. But in this age of bot networks, malware is now responsible for sending the most spam and users are unaware that spam is being sent by their computer.

As a result, we are updating our management of port 25. In order to ensure a more secure network and email domain, Comcast will no longer by default allow access to port 25 for our residential Internet users. In addition, we are asking comcast.net email users to migrate to port 465, which offers SSL encryption. We will continue to support the industry standard port 587. Upon request to our Customer Security Assurance team this block can be removed, enabling access to use port 25 for other email domains, though the comcast.net email servers will no longer accept submission via port 25. These changes will occur gradually across our network beginning today.

Translation: Spambots take advantage of Port 25?s vulnerabilities and use it to send spam from user’s computers. For that reason, Comcast will soon block this outgoing email port for users that use an email client on their computers (rather than webmail), such as MS Outlook, Mozilla Thunderbird, etc. Many ISPs have blocked this port for some time, but it’s a new change for Comcast Xfinity users. It’s important note that this change has the potential to affect any Comcast Xfinity internet customers who use email software on their computer. While it’s probably a good idea to change your outgoing port settings to 465 or 587, as Comcast advised above, they do state that for non @comcast.net email accounts, they will unblock port 25 upon request. We would however just advise that you change your port settings to make things easier.

To further bolster their case, Xfinity adds the following:

There are number of other influential bodies that recommend against the use of port 25.The Federal Trade Commission (FTC), an organization that has taken legal action against many spammers, also recommends that port 25 is blocked by ISPs. The recommendation is as follows: “block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers.”

Comcast Xfinity Sends Out Email Warning

As I mentioned, those blog posts were from August 1 – So why are we just bringing this up now? Because for whatever reason, one of our employees just received an email notification about this change at their personal account yesterday. (I mention “personal account” to differentiate from Comcast Business Class, which is our ISP here in the office, and as Comcast stated in the excerpts above, the change is just supposed to impact “residential Internet users”). The one caveat I think users should be aware of here is that some offices probably use “residential” Comcast Xfinity internet service, so you may not be immune to the change just by virtue of the fact that you’re in a commercial setting.

Comcast Outgoing Email Problems?

Have you already experienced outgoing email problems? That wouldn’t be surprising given that despite this email only coming out yesterday, they did announce on their blog (which I’d be willing to bet is very rarely read) that they would start rolling out the change more than 3 months ago. But don’t feel bad if you hadn’t heard and were suddenly unable to send email – you’re not alone.

We’ve actually had a handful of clients call in after experiencing this issue, although in most cases the problem had more to do with people moving from Comcast (and using Port 25) to another ISP that already blocked Port 25. Just a few months ago, an ISP change like this would cause outgoing email issues, but this move by Comcast Xfinity seems geared toward following industry best practices and blocking the port that most others already block. It’s important to note, however, that not all ISPs are blocking and some specifically request that you use 25, as you can see in Fairpoint’s Thunderbird email setup instructions. Just some things worth being aware of in case you plan to move to/from Comcast soon, or even if you’re just an existing customer who uses old port settings.

Vermont Design Works Client Email Settings

If you’re a VDW client, the most important take-away comes in the line about who this impacts. From the second paragraph of the first excerpt above – “comcast.net email users”. If you’re one of our clients, you’ve most likely been set up with email addresses that end in @yourdomain.com. If this is the case and we host your email, we specifically recommend changing your outgoing port to 587 and unchecking the SSL box in your email program’s settings. Comcast’s recommendation of 465 is specifically for @comcast.net email accounts.

Fixing Comcast Outgoing Mail Server Port Issues

If you’re already experiencing issues with outgoing mail, Comcast provided some helpful links in yesterday’s email for configuring outgoing port settings for various email clients:

Email Program Users (Outlook Express, Outlook, MacMail, etc.):
If you use an email program, this action will disable your program’s ability to send email until you change your email program settings to send email on port 465.

To protect your email security, click on the link for your current email software, then follow the step-by-step instructions to change your settings.

Don’t see your email software? Then locate the preferences for your mail account in the software you use and provide the settings listed on this page.

If you’re a Comcast Xfinity internet customer, please let us know in the comments below whether you’ve experienced any outgoing server issues in recent months.

Masscot Internet takes a two tiered approach to spam prevention. No system is perfect but we manage to block over 100,000 spam emails a day from ever reaching out customers.

GDMilter is a sendmail milter designed to help ensure that mail received to the server actually originated from an authentic mail server, not a bot or other mass mailer. When GDMilter receives a piece of mail, it returns a delay to the sender mail server. If the sending server is actually a mail server, it will retry the message. If it is not a mail server, but rather a bot or similar, then the mail is not retried. If the message is retried then the sender is whitelisted as an authentic mail sender. The main advantage to this method is that a filter isn't processing the entire message on the server, using up system resources. Any sender/server that is already known to be safe can be manually whitelisted to bypass this delay process.

SpamAssassin is the second tier of defense. If spam passes the first test, SpamAssassin then scans the message based on content and gives it a score. If the score is over the configured threshold (0-40), it is deleted. Messages marked as spam can also be placed in a single file on the server, however this file can grow rapidly and will need to be monitored/rotated on a regular basis. Whitelisting and blacklisting can also be done via SpamAssassin.

SpamAssassin and GDMilter will provide great improvements in spam prevention. They are not designed to solve all the server load problems that may be occurring on very busy servers. By nature of GDMilter, is is a memory resident program, drawing its resources for your server's RAM memory. Because it is memory resident program, it can not be run effectively on any server with less than 1 GB of RAM and any CPU that is less than 1.4 GHZ. As such, you cannot install this GDMilter/SpamAssassin solution on any server without these minimum hardware requirements.

Why is my mail delayed?
The milter is designed to delay mail. The delay is set to 1 minute. Under normal circumstances mail is only delayed a minute or two until the from/recipient/mail server IPs are whitelisted. After being whitelisted there is no delay at all. However, if the sending server is very busy, there is the potential for a longer delay. If you have IPs for yourself or your clients that are known to be "spam safe" those can be whitelisted. This will cause anything sent from those IPs to bypass the milter process. It is not wise to whitelist a receiving domain, as it defeats the purpose of having a filter on the server to cut back on sendmail processes, mail traffic, and spam, however, it can be done with whitelist interface.

Why am I still getting spam?
We could turn down the required spam score for spamassassin the default of 5 to a lower setting and this will filter out more spam messages. Please note that this also creates a higher chance that legitimate mail will be blocked too. GDMilter and SpamAssassin will not stop all spam, as any spam solution cannot do. The products will reduce the amount of spam that reaches the end user.

Why am I getting so many support requests after installing this product?
The initial adjustment period that is associated with these products can cause some clients to worry about lost or delayed mail. In most cases, after users learn what was going on and see the positive affect of less spam, most support requests decline within a week of implementing the filters. In order to keep any surge in support requests to a manageable level, we advise that you spread out the timeframe over which you activate the services on each of your servers. Installing the spam services on one or two servers a day is advisable.


Setting up Mail with Microsoft Outlook:

1. After loading Outlook, choose Tools... --> Services...
2. Click add, and choose Internet E-Mail. Click OK.
3. In the General tab of the email Properties dialog box, fill in your personal information.
4. Click on the Servers tab, and fill in the server information. The Outgoing Mail (SMTP) and incoming mail server should be your domain (e.g. mail.yourdomainname.com). Put in your mailbox username (e.g. yourdomainname\account name) in the account name field, and the password below. Click OK.
5. Your new settings will not take effect until you choose Exit and Log off on the File menu, and then restart Microsoft Outlook.


Setting up Microsoft Outlook Express 5.0

These instructions are accurate, as of Microsoft Outlook Express 5.0.

1. When Outlook Express Starts click Tools -> Accounts.
2. Inside the "Internet Accounts Windows" click Add -> Mail.
3. Fill in your name. Click Next.
4. Click "I already have an e-mail address that I'd like to use" and fill in your email address. Click Next.
5. On the "Email Servers Name" page, fill in the server information. "My incoming mail server is a POP3 server." The incoming mail server should be your domain. The Outgoing Mail (SMTP) should also be your domain name only (e.g. mail.yourdomainname.com). Click Next
6. Put in your mailbox username (e.g. yourdomainname\account name) in the account name field, and the password below. Click Next.
7. Click Finish.


**Port number would be default.


Properties:
outlook properties more settings outgoing server  req auth yes then three option login before sending

outlook express tools, accounts, select accts, add mail option, mail server, next finish properties tab accts right side properties servers auth yes settings radio use same settings as incoming mail ok done

If yor email server has been blacklisted, it is usually because you or someone else using the same mail server IP address is reporting to their ISP that you are a spammer.

Blacklists Reporting you to be a spammer may be found along with your IP address which is usually included in bounced emails.

To see if your IP is blacklisted go to: http://www.mxtoolbox.com/blacklists.aspx?AG=GBL&gclid=CJ2Axfygz6ACFdpR2godxm1GzQ

There are 105 anti-spam blacklists that we know of. If you get blacklisted please open a ticket in our SupportSuite and copy and paste the entire message in the bounced email saying why you were bounced. Our engineers will contact these blacklist operators in an attempt to get you delisted. It can take up to 24-48 hours to get your server delisted, but you can get relisted if someone else reports you as spamming them.

The blacklists are independently operated and Masscot has no control over their actions or policies, but they do provide a way to request delisting and we can take care of requesting delisting for you. Please make sure your emails comply with all email rules including the ability for the receiver to request that their address be removed from your mailing lists on each and every email you send. Please see the Can Spam Act for more info: http://www.ftc.gov/bcp/edu/pubs/business/ecommerce/bus61.shtm

Controlling Spam:

On our old servers we had SpamAssassin and GDMilter set up server wide. We had a hard time balancing everyone's needs that way. Customers who were getting too much spam complained about that so we increased the filtering only to get complaints from other customers that important email was getting filtered out. So now on our Cloud System we have chosen to put total SPAM control in the customer's hands so everyone can adjust their filters to their own particular needs.

Go into your cPanel and find SpamAssassin and enable it. Start with the default setting of 5. Enable the spam box feature for a few days so you can check to see if it is filtering out any good mail. If it is you can white list them or increase the setting to a higher number. Each higher number filters less email and ten is almost no filtering. The lower the number the more aggressive the filtering. If it is filtering out to much you can go back up a number. 

The next thing to do is activate Account Level Filtering and User Level Filtering. Determine what kinds of spam you are receiving and set up some additional filters. Account Level Filtering filters ALL email addresses on your site. User Level Filtering filters email to one particular address. Both work exactly the same way. The only difference is do you want to filter mail for all addresses or only one email address or do you want to filter mail with additional words and phrases in a particular email address not controlled in Account Level Filtering.

Example: We have a mailbox that is used for anything we think might generate spam. It generally receives 600 messages per day if left unfiltered and about 95% of messages are spam. So we set up filters with the User Level Filtering tool including words and phrases from the most offending spam messages we had received received. The next day a total of 50 messages were received so it is very effective and we then added more filters to block those.

You can Filter mail to all mail boxes or filter based on individual mailbox needs. Or you can do a combination of both. If you have Account Filtering and there is a particular email account that needs any additional filtering then go to User Level filtering and add additional filters for that account.

For even more protection, look into Email authentication. This tool will help you further control spam and should help reduce email coming from fake addresses and spoofed addresses.

It should only take about 30 minutes to do all of this and once you get it set to the correct levels for your email accounts you should be able to block most unwanted email yet still receive email you wish to receive. These filters can be adjusted at any time.  

If you need help setting these up please open a ticket at http://masscot.helpserve.com or if you are registered in our Support Suite you can email support@masscothosting.net.

If you are a Verizon Broadband Customers and are having problems with your Outlook and Outlook Express sending Email Please read the following:

Verizon has issued a directive to its broadband customers that if you use a third party email service (like Masscot) and also use Outlook to handle the email on your desktop, you'll need to configure your Outlook to change your outgoing email port to Port 587, rather than the usual Port 25. This went into effect October 20. It's part of their new anti-spam initiative.